Skip to main content

API resources

API Reference

Use the Send Magic Link API to start a magic link login flow.

Frontend SDKs

Use Stytch’s Frontend SDKs to start a magic link login flow.

Stytch UI

Use Stytch’s pre-built UI components to seamlessly add email magic links to your login flow.

Embeddable Magic Links

Use the Embeddable Magic Link API to start a magic link login flow by generating a magic link.

How it works

Email magic links are a secure, seamless, passwordless authentication option. When a user logs in via Stytch’s Email Magic Link (EML) product, Stytch generates a unique, one-time-use token embedded in a URL and sends it to the user’s email address. The user authenticates their identity by successfully receiving and clicking on this link before the link expires, at which point Stytch will verify the token and issue a Session for the . Stytch SDK auth flow With magic links, you can choose to allow login, signup, or login-or-create behavior.
Magic links require redirect URLs to be configured in your Dashboard.

Email template customization

Email templates control the subject line and body of the email a User receives. For Magic Link endpoints that send emails, there are three possible email templates a User can receive: login, signup or invite. Which email template a User receives is based on a combination of the User’s state (e.g. active, pending) in the Stytch backend and whether the magic link is initiated via the send, login-or-create, or invite method. Styling customizations like color and font are available by default, while full HTML customization is available to customers paying for our branding add-on. Learn more about customizing email templates here.

Security

Stytch’s email magic links product has built-in protections that ensure seamless delivery of magic links in corporate environments without compromising on security.

One-time use restrictions

Each Magic Link that is sent to the user is one-time use. Once the user clicks on the Magic Link and logs in, the embedded token that uniquely identifies the authentication request is “consumed” and cannot be used for subsequent logins. This is critical for security as it significantly reduces the chances of unauthorized access. Once the user has completed the authentication flow the token cannot be stolen or replayed by an attacker to gain access. However, in corporate environments, where email security scanners are very prevalent, this security measure can sometimes make Email Magic Links unusable.

Email security scanners

Email security scanners are tools that scan incoming emails for malicious content, such as suspicious links or attachments, in an effort to protect the user from phishing attacks or malware. Most security scanners will inspect and click on any links present in emails, in order to identify suspicious redirects, attempts to execute malicious scripts or download malware, or signs of a phishing attempt. When the link in question is actually an email magic link, the scanner will end up consuming the token before the email actually makes its way into the user’s inbox, preventing them from being able to use the link to login.

Stytch’s built-in solution

In order to not compromise on the security of our EML product, while accounting for the prevalence of email security scanners, particularly in corporate inboxes, Stytch leverages our device intelligence product to handle “clicks” differently depending on if it is a real human user, or an email security scanner. When we identify that the Magic Link has been clicked by an email security scanner, we do not treat the click as an authentication attempt - meaning the token is not consumed, and a session is not granted. The security scanner is able to inspect the link and identify that it is not malicious, without interfering with the one-time-use restriction. Once the scan is complete and the email is passed through to the user’s inbox, they are able to click on the link and successfully log in. This protection comes out of the box for all Stytch customers, but if you are interested in learning more about other use cases of Stytch’s device intelligence product (such as bot-protection on your login page, or identifying and blocking fraudulent real users) contact sales.