Email Magic Links Overview

Email Magic Links are a secure, seamless passwordless authentication option.

When a user logs in via Stytch’s Email Magic Link (EML) product, Stytch generates a unique, one-time-use token embedded in a URL and sends it to the user’s email address. The user authenticates their identity by successfully receiving and clicking on this link before the link expires, at which point Stytch will either issue a Session or prompt the user to perform MFA if they are enrolled.

API Objects and Endpoints

API Resources



A top-level tenant that groups members, auth settings, roles, and other identity configurations.


Represents an authenticated user who is a member of a specific Organization.

Magic Links

A collection of Magic Link endpoints for login and signup.

Member Session

A managed session that tracks a Member's logged-in state using JWTs or session tokens.

How It Works

In Stytch’s B2B product there are two different versions of the Email Magic Link authentication flow:

  1. Discovery Authentication: used for self-serve Organization creation or login prior to knowing the Organization context
  2. Organization-specific Authentication: used when you already know the Organization that the end user is trying to log into

Both flows support Email Magic Links, allow end users to accepting pending invites or Just-in-Time (JIT) Provision by email domain, and finish with the end user authenticated in a specific Organization. However, Discovery involves one additional step to surface the end user's "discovered organizations" that they are eligible to login to and also allows self-serve organization creation.

Reduces risk of password breaches

Even in corporate environments, users notoriously use easy to crack passwords and reuse easy-to-remember passwords across multiple sites. By not having passwords on your application, you reduce the risk that user accounts will be compromised via data breaches at other companies.

Provides strong guarantee of email ownership

In B2B applications where access to an Organization is tied to corporate email addresses, verifying that the user currently has active ownership over that email is a much stronger guarantee of identity than an email + password combo, which a user could retain after leaving the company.

Provider agnostic

EML is a great complementary option to other popular passwordless login methods like Google or Microsoft OAuth, as it does not depend on the user having an account with a specific provider.