Overview

​

API resources

​

How it Works

Email magic links are a secure, seamless, passwordless authentication option. When a user logs in via Stytch’s Email Magic Link (EML) product, Stytch generates a unique, one-time-use token embedded in a URL and sends it to the user’s email address. The user authenticates their identity by successfully receiving and clicking on this link before the link expires, at which point Stytch will either issue a Session or prompt the user to perform MFA if they are enrolled. Stytch also uses magic links in our flow for inviting new Members to an existing Organization, allowing the end user to accept the invite and authenticate into the target Organization in one step.

​

Discovery vs. Organization-specific login

Stytch’s Multi-Tenant Authentication product supports two different magic link authentication flows: Both flows support email magic links, allowing end users to accept pending invites or JIT Provisioning by email domain, and finish with the end user authenticated in a specific Organization. However, Discovery involves one additional step to surface the end user’s “discovered organizations” that they are eligible to login to and also allows self-serve organization creation.

​

Email template customization

Email templates control the subject line and body of the email a Member receives. For Magic Link endpoints that send emails, there are three possible email templates a Member can receive: login, signup or invite. Which email template a Member receives is based on a combination of the members’s state (e.g. active, pending) in the Stytch backend and whether the magic link is initiated via a discovery authentication, organization-specific authentication or invite method. Styling customizations like color and font are available by default, while full HTML customization is available to customers paying for our branding add-on.

​

Security

Stytch’s email magic links product has built-in protections that ensure seamless delivery of magic links in corporate environments without compromising on security.

​

One-time use restrictions

Each Magic Link that is sent to the user is one-time use. Once the user clicks on the Magic Link and logs in, the embedded token that uniquely identifies the authentication request is “consumed” and cannot be used for subsequent logins. This is critical for security as it significantly reduces the chances of unauthorized access. Once the user has completed the authentication flow the token cannot be stolen or replayed by an attacker to gain access. However, in corporate environments, where email security scanners are very prevalent, this security measure can sometimes make Email Magic Links unusable.

​

Email security scanners

Email security scanners are tools that scan incoming emails for malicious content, such as suspicious links or attachments, in an effort to protect the user from phishing attacks or malware. Most security scanners will inspect and click on any links present in emails, in order to identify suspicious redirects, attempts to execute malicious scripts or download malware, or signs of a phishing attempt. When the link in question is actually an email magic link, the scanner will end up consuming the token before the email actually makes its way into the user’s inbox, preventing them from being able to use the link to login.

​

Stytch’s built-in solution

In order to not compromise on the security of our EML product, while accounting for the prevalence of email security scanners, particularly in corporate inboxes, Stytch leverages our device intelligence product to handle “clicks” differently depending on if it is a real human user, or an email security scanner. When we identify that the Magic Link has been clicked by an email security scanner, we do not treat the click as an authentication attempt - meaning the token is not consumed, and a session is not granted. The security scanner is able to inspect the link and identify that it is not malicious, without interfering with the one-time-use restriction. Once the scan is complete and the email is passed through to the user’s inbox, they are able to click on the link and successfully log in. This protection comes out of the box for all Stytch customers, but if you are interested in learning more about other use cases of Stytch’s device intelligence product (such as bot-protection on your login page, or identifying and blocking fraudulent real users) contact sales.