Authenticate a User given a Magic Link. This endpoint verifies that the Magic Link token is valid, hasn't expired or been previously used, and any optional security settings such as IP match or user agent match are satisfied.
Authenticate Magic Link
POST
https://test.stytch.com/v1/magic_links/authenticateBody parameters
token* string
The Magic Link token from the ?token= query parameter in the URL.
The redirect URL will look like https://example.com/authenticate?stytch_token_type=magic_links&token=rM_kw42CWBhsHLF62V75jELMbvJ87njMe3tFVj7Qupu7
In the redirect URL, the stytch_token_type will be magic_link. See here for more detail.
options object
Specify optional security settings.
ip_match_required boolean
Require that the IP address the Magic Link was requested from matches the IP address it's clicked from.
user_agent_match_required boolean
Require that the user agent the Magic Link was requested from matches the user agent it's clicked from.
attributes object
Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application.
ip_address string
The IP address of the client.
user_agent string
The user agent of the client.
session_duration_minutes int
Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque session_token and session_jwt for this session. Remember that the session_jwt will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time.
This value must be a minimum of 5 and a maximum of 527040 minutes (366 days).
If a session_token or session_jwt is provided then a successful authentication will continue to extend the session this many minutes.
If the session_duration_minutes parameter is not specified, a Stytch session will not be created.
session_custom_claims map<string, any>
Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in session_duration_minutes. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value.
Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes.
session_jwt string
The session_jwt associated with a User's existing Session.
session_token string
The session_token associated with a User's existing Session.
code_verifier string
A base64url encoded one time secret used to validate that the request starts and ends on the same device.
telemetry_id string
If the telemetry_id is passed, as part of this request, Stytch will call the Fingerprint Lookup API and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature.
Response fields
status_code int
The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
request_id string
Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
method_id string
The email_id or phone_id involved in the given authentication.
reset_sessions boolean
Indicates if all other of the User's Sessions need to be reset. You should check this field if you aren't using Stytch's Session product. If you are using Stytch's Session product, we revoke the User's other sessions for you.
session object
If you initiate a Session, by including session_duration_minutes in your authenticate call, you'll receive a full Session object in the response.
See Session object for complete response fields.
session_id string
A unique identifier for a specific Session.
user_id string
The unique ID of the affected User.
authentication_factors array[objects]
An array of different authentication factors that comprise a Session.
started_at string
The timestamp when the Session was created. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.
last_accessed_at string
The timestamp when the Session was last accessed. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.
expires_at string
The timestamp when the Session expires. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.
attributes object
Provided attributes help with fraud detection.
ip_address string
The IP address of the user.
user_agent string
The user agent of the User.
custom_claims map<string, any>
The custom claims map for a Session. Claims can be added to a session during a Sessions authenticate call.
session_jwt string
The JSON Web Token (JWT) for a given Stytch Session.
session_token string
A secret token for a given Stytch Session.
user object
The user object affected by this API call. See the Get user endpoint for complete response field details.
user_id string
The unique ID of the affected User.
status_code int
The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
request_id string
Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
name object
The name of the User. Each field in the name object is optional.
first_name string
The first name of the user.
middle_name string
The middle name(s) of the user.
last_name string
The last name of the user.
trusted_metadata object
The trusted_metadata field contains an arbitrary JSON object of application-specific data. See the Metadata reference for complete field behavior details.
untrusted_metadata object
The untrusted_metadata field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and cannot be used to store critical information. See the Metadata reference for complete field behavior details.
emails array[objects]
An array of email objects for the User.
email_id string
The unique ID of a specific email address.
email string
The email address.
verified boolean
The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.
phone_numbers array[objects]
An array of phone number objects linked to the User.
phone_id string
The unique ID for the phone number.
phone_number string
The phone number.
verified boolean
The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.
providers array[objects]
An array of OAuth provider objects linked to the User.
oauth_user_registration_id string
The unique ID for an OAuth registration.
provider_subject string
The unique identifier for the User within a given OAuth provider. Also commonly called the "sub" or "Subject field" in OAuth protocols.
provider_type string
Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Facebook, GitHub etc.
profile_picture_url string
If available, the profile_picture_url is a url of the User's profile picture set in OAuth identity the provider that the User has authenticated with, e.g. Facebook profile picture.
locale string
If available, the locale is the User's locale set in the OAuth identity provider that the user has authenticated with.
webauthn_registrations array[objects]
An array that contains a list of all Passkey or WebAuthn registrations for a given User in the Stytch API.
webauthn_registration_id string
The unique ID for the Passkey or WebAuthn registration.
domain string
The domain on which Passkey or WebAuthn registration was started. This will be the domain of your app.
user_agent string
The user agent of the User.
authenticator_type string
The authenticator_type string displays the requested authenticator type of the Passkey or WebAuthn device. The two valid types are "platform" and "cross-platform". If no value is present, the Passkey or WebAuthn device was created without an authenticator type preference.
verified boolean
The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.
name string
The name of the Passkey or WebAuthn registration.
biometric_registrations array[objects]
An array that contains a list of all biometric registrations for a given User in the Stytch API.
biometric_registration_id string
The unique ID for a biometric registration.
verified boolean
The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.
totps array[objects]
An array containing a list of all TOTP instances for a given User in the Stytch API.
totp_id string
The unique ID for a TOTP instance.
verified boolean
The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.
crypto_wallets array[objects]
An array contains a list of all crypto wallets for a given User in the Stytch API.
crypto_wallet_id string
The unique ID for a crypto wallet
crypto_wallet_address string
The actual blockchain address of the User's crypto wallet.
crypto_wallet_type string
The blockchain that the User's crypto wallet operates on, e.g. Ethereum, Solana, etc.
verified boolean
The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.
password object
The password object is returned for users with a password.
password_id string
The unique ID of a specific password
requires_reset boolean
Indicates whether this password requires a password reset
roles array[strings]
Roles assigned to this User. See the RBAC guide for more information about role assignment.
created_at string
The timestamp of the User's creation. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.
status string
The status of the User. The possible values are pending and active.
user_id string
The unique ID of the affected User.
user_device object
If a valid telemetry_id was passed in the request and the Fingerprint Lookup API returned results, the user_device response field will contain information about the user's device attributes.
visitor_id string
The visitor_id (a unique identifier) of the user's device. See the Device Fingerprinting documentation for more details on the visitor_id.
visitor_id_details object
Information about the visitor_id.
is_new boolean
Whether this visitor_id has been seen before for this user.
first_seen_at string
When this visitor_id was first seen for this user. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.
last_seen_at string
When this visitor_id was last seen for this user. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.
ip_address string
The IP address of the user's device.
ip_address_details object
Information about the ip_address.
is_new boolean
Whether this ip_address has been seen before for this user.
first_seen_at string
When this ip_address was first seen for this user. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.
last_seen_at string
When this ip_address was last seen for this user. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.
ip_geo_country string
The country code where the IP address is located.
ip_geo_country_details object
Information about the ip_geo_country.
is_new boolean
Whether this ip_geo_country has been seen before for this user.
first_seen_at string
When this ip_geo_country was first seen for this user. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.
last_seen_at string
When this ip_geo_country was last seen for this user. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.
ip_geo_city string
The city where the IP address is located.
ip_geo_region string
The region where the IP address is located.
const stytch = require('stytch');
const client = new stytch.Client({
project_id: 'PROJECT_ID',
secret: 'SECRET',
});
const params = {
token: "SeiGwdj5lKkrEVgcEY3QNJXt6srxS3IK2Nwkar6mXD4=",
session_duration_minutes: 60,
};
client.magicLinks.authenticate(params)
.then(resp => { console.log(resp) })
.catch(err => { console.log(err) });RESPONSE 200
200
{
"method_id": "email-test-81bf03a8-86e1-4d95-bd44-bb3495224953",
"request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
"reset_sessions": false,
"session": "{...}",
"session_token": "mZAYn5aLEqKUlZ_Ad9U_fWr38GaAQ1oFAhT8ds245v7Q",
"session_jwt": "eyJ...",
"status_code": 200,
"user": {...},
"user_id": "user-test-16d9ba61-97a1-4ba4-9720-b03761dc50c6"
}RESPONSE 400
200
{
"status_code": 400,
"request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
"error_type": "invalid_user_id",
"error_message": "user_id format is invalid.",
"error_url": "https://stytch.com/docs/api/errors/400"
}RESPONSE 401
200
{
"status_code": 401,
"request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
"error_type": "unable_to_auth_magic_link",
"error_message": "The magic link could not be authenticated because it was either already used or expired. Send another magic link to this user.",
"error_url": "https://stytch.com/docs/api/errors/401"
}RESPONSE 404
200
{
"status_code": 404,
"request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
"error_type": "magic_link_not_found",
"error_message": "The magic link could not be authenticated, try sending another magic link to the user.",
"error_url": "https://stytch.com/docs/api/errors/404"
}RESPONSE 429
200
{
"status_code": 429,
"request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
"error_type": "too_many_requests",
"error_message": "Too many requests have been made.",
"error_url": "https://stytch.com/docs/api/errors/429"
}RESPONSE 500
200
{
"status_code": 500,
"request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
"error_type": "internal_server_error",
"error_message": "Oops, something seems to have gone wrong, please reach out to support@stytch.com to let us know what went wrong.",
"error_url": "https://stytch.com/docs/api/errors/500"
}