Skip to main content
POST
/
v1
/
magic_links
C#
// POST /v1/magic_links
const stytch = require('stytch');

const client = new stytch.Client({
  project_id: '${projectId}',
  secret: '${secret}',
});

const params = {
  user_id: "${userId}",
};

client.MagicLinks.Create(params)
  .then(resp => { console.log(resp) })
  .catch(err => { console.log(err) });
{
  "request_id": "<string>",
  "user_id": "<string>",
  "token": "<string>",
  "status_code": 123
}

Important usage notes

Carefully review the following notes before using Embeddable Magic Links:
  • Embeddable Magic Link tokens are sensitive values. You should handle and store them securely.
  • Authenticating an Embeddable Magic Link token will not mark any of a user’s delivery factors (email address or phone number) as verified, since we cannot confirm how the token was sent to the user.
  • Embeddable Magic Links are only available in our Consumer API, and not our B2B API.
When sending Embeddable Magic Links via email:
  • Deliverability is paramount. Carefully test your email copy to ensure it reaches your users’ inboxes. Small changes can result in your emails being sent to spam.
  • In some cases, email security bots may follow links within incoming emails before your users open them. This consumes the Embeddable Magic Link token, preventing the user from logging in when they later click the link. Our Email Magic Links product automatically prevents this (details here). However, when sending your own emails containing Embeddable Magic Links, you’ll be responsible for detecting and stopping bot traffic using tools like CAPTCHA or Device Fingerprinting.
We also recommend checking out our Trusted Auth Tokens product, which is available in both our Consumer and B2B APIs and can be a better fit for some use cases.

Authorizations

Authorization
string
header
required

Basic authentication header of the form Basic <encoded-value>, where <encoded-value> is the base64-encoded string username:password.

Body

application/json

Request type

user_id
string
required

The unique ID of a specific User. You may use an external_id here if one is set for the user.

expiration_minutes
integer<int32>

Set the expiration for the Magic Link token in minutes. By default, it expires in 1 hour. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins).

attributes
object

Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application.

Response

Successful response

request_id
string
required

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

user_id
string
required

The unique ID of the affected User.

token
string
required

The Magic Link token that you'll include in your contact method of choice, e.g. email or SMS.

status_code
integer<int32>
required

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.