Magic Link redirect routing

By default, calling the /magic_links/email/send, /magic_links/email/login_or_create, and /magic_links/email/invite endpoints results in an email containing a magic link being sent to the provided email address. This link has the following format depending on the Stytch environment being used:

Test env{TOKEN}

Live env{TOKEN}

When the user follows the link the browser will direct the user to which renders as a blank page, and then the user will be redirected to the provided login_magic_link_url, signup_magic_link_url, or invite_magic_link_url (or to the default redirect url assigned in the Stytch Dashboard).

The step in this flow serves to detect and stop bot traffic. In some cases, like email addresses tied to an employer, additional email security may run before the email lands in the user's inbox.

These security bots will follow every link inside an email to detect threats. Without Stytch's bot detection, a bot would follow the magic link, go to your site, and the magic link token would be authenticated. Since a magic link token can only be authenticated once now the link is no longer valid. When the actual user goes to click the link, they are unable to login.

Disabling the step in the redirect flow

It is possible to disable the step in the redirect routing flow. Instead the magic link in the email will go directly to the specified redirect URL. This may be useful in cases where Email Magic Links are being used in a mobile setting, and the redirect URL is a universal link.

Remember, if you opt-in to disabling this feature you are now responsible for detecting and stopping bot-traffic from using and invalidating the magic link token. There are various ways of doing this including enabling PKCE or using bot-detection software like reCAPTCHA.

If you are interested in disabling this feature reach out to