Magic link
SecureAuth Connect magic link authentication lets users sign in by clicking a one-time link sent to their email. The user enters their email address, receives a link, clicks it, and is authenticated. No password or code entry required.
Magic link is an API-driven integration. Unlike other authentication methods in SecureAuth Connect, there is no UI toggle to enable magic links. Your application generates the link using the SecureAuth API and delivers it to the user.
Use cases
Magic link fits when you want the lowest-friction email-based sign-in experience.
- Consumer apps (B2C): Users click one link instead of copying and pasting a code. Reduces drop-off compared to OTP flows.
- Email-first onboarding: New users can authenticate with just their email address. No password to create, no app to install.
- Transactional access: Send a magic link in a notification email (for example, "Review your order") that authenticates the user and takes them directly to the relevant page.
- Low-frequency users: Users who sign in rarely don't need to remember a password or keep an authenticator app configured.
Magic link is not the best fit when email delivery is unreliable (delayed by spam filters or corporate email gateways), when users need to sign in on a different device than the one receiving the email, or when your security policy requires a stronger factor like passkeys or TOTP.
How magic link works
Magic link uses the SecureAuth Generate Code API and the OAuth authorization code flow. Your application handles the link generation and delivery.
-
The user enters their email address on your sign-in page.
-
Your application calls the Generate Code API with
type=authentication. -
SecureAuth returns a
code(plain text) and anextended_code(URL-safe base64-encoded user identifier + verification code).# Generate an authentication code for the user
curl -X POST "https://$TENANT.$REGION.connect.secureauth.com/api/identity/$TENANT/pools/$POOL_ID/users/$USER_ID/codes" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{"type": "authentication"}'
# Response includes: { "code": "123456", "extended_code": "base64..." } -
Your application embeds the
extended_codein a link and sends it to the user by email. -
The user clicks the link.
-
Your application sends the
extended_codeto the SecureAuth OAuth authorize endpoint as theauthentication_codeparameter.# After the user clicks the magic link, start authorization with the extended code
curl --get "https://$TENANT.$REGION.connect.secureauth.com/$TENANT/$WORKSPACE/oauth2/authorize" \
--data-urlencode "response_type=code" \
--data-urlencode "client_id=$CLIENT_ID" \
--data-urlencode "authentication_code=$EXTENDED_CODE" -
SecureAuth validates the code and skips the standard authentication prompt.
-
The user is redirected through consent and receives an authorization code.
Why extended code instead of plain code
The extended_code is a URL-safe base64-encoded combination of the user identifier and the verification code. SecureAuth needs this because the /authorize request does not include a username. The extended code tells SecureAuth both who the user is and what code they are presenting.
Using the plain code would require the user to type it manually on a verification screen. The extended_code in a clickable link is the better experience – one click instead of copy-paste.
Implement magic links
For step-by-step implementation instructions, see Integrate sign-in pages for passwordless authentication. That guide covers:
- Registering a client application
- Obtaining an access token for the Identity System API
- Constructing the magic link URL with the extended code
- Handling the OAuth callback after authentication
Prerequisites
- A registered client application in your workspace
- Access to the Identity System API to generate codes
- An email delivery mechanism in your application (SecureAuth does not send the magic link email – your application does)