⬅️ Head back to blog

Easy and secure authentication with magic links (and its quirks) 🔮

March 3, 2025

  • Frontend

  • Backend

  • Authentication

  • UI

Illustration

Magic link is an easy and secure authentication method which doesn’t require creating accounts nor managing passwords. Its use case can be a situation where we already store user email addresses (e.g. who already placed orders in the system), but we don’t want to bother him or her too much (and it's usually a good idea to not bother the user 😉).

Key benefits of magic links include:

  • Enhanced user experience since the user doesn’t have to remember or reset a password.
  • Enhanced security since there's no password to be compromised.

Authentication flow

Authentication steps

The flow of authenticating with a magic link consists of following steps:

  1. User visits the app and fills in the login form which has got only one input field (email address). "A login link has been sent to you. Check your inbox. The link will be valid for X minutes" says the success message.

  2. User receives a message with the link. The link has got a query parameter - a random alphanumeric token required for one-time logging in, e.g.

https://mywebsite.pl/gateway?token=8376492005b669c174ce73f7f227ab9c
  1. The link brings the user back to the app and logs him or her in.

What’s important regarding the token

To consider our authentication method as secure, we must remember a few rules.

Disposable

A token must be marked as used after logging in and there must be a validation to prevent using it again. We don’t want someone unauthorized to steal it and use it.

Strong and unique

A token must be long and random enough to be impossible to be guessed. Each token must be unique and linked to a specific user.

Time-limited

There must be a time frame when a token is allowed to be used. We don’t want someone unauthorized to steal and use an abandoned token.

Rate-limited

There must be a limit on how frequently an user can request the gateway to validate tokens. This prevents brute force attacks.

Email protection software - why do you need to think about it?

That was the case I needed to deal with in some project. There was a group of users who had enhanced security software inbuilt in their email clients. The software was visiting magic links before users did. As a consequence, tokens were already used, so users couldn’t log in.

Solution? I’ve added an extra step - the user was simply required to press a button (like "Yes, I’m a human, please log me in!"). Users were pressing the button - the software never did.

Adam Kaczmar

About the author

Adam Kaczmar, Web Developer

I've been a professional full-stack web developer since 2015. My experience comes mainly from e-commerce and consists of:

  • developing highly customized e-commerce software,
  • automating catalog and order integrations with external warehouse services,
  • creating tailor-made user-friendly administration tools for client teams,
  • creating front-end React / Next.js applications along with headless Magento, Laravel and Sanity back-ends.

Besides my programming job, I'm a husband, a father of two lovely daughters and I train boxing every Monday afternoon. Movie genere of my choice is western.

Want to talk? 🙂 Reach me on LinkedIn

...or explore all blog posts ➡️