Embeddable Magic Links

Embeddable Magic Links enable developers to integrate one-click authentication and account creation seamlessly into any end user communication flow.

Similar to Email Magic Links, which are login URLs with auth tokens attached as parameters, Embeddable Magic Links create a one-time, one-click way to authenticate users. This makes them a user-friendly alternative to passwords – no more lengthy "forgot password" reset flows or a password manager to contend with.

The key difference from magic link emails, however, is that while with Email Magic Links the link must be delivered over email, you can embed Embeddable Magic Links anywhere you want within the delivery method of your choice.

Here are a couple (of many) potential use cases:

• Promote ecommerce deals by texting an Embeddable Magic Link within a “Finish checking out” CTA and bring your user back to their cart already logged in.
• Send a direct message to customers for support issues with Embeddable Magic Links to bring them to a specific point in your platform in an authenticated state.

Whereas Email Magic Links are used purely for logging into an account, Embeddable Magic Links are more expansive.

Embeddable Magic Links and Email Magic Links function similarly, with just a few lines of code’s difference. Here's a breakdown of the authentication process:

1. Create an Embeddable Magic Link token with Stytch API call.
2. Embed the token in a link and your delivery method of choice (user's email address, SMS, CTA button, etc.).
3. Once the user clicks the link, authenticate the token with a Stytch API call to login and create a session.

From here, it's up to you how to manage the rest of the login process. You can either start a user session or add additional authentication steps (more on this below).

Yes, Embeddable Magic Links can be just one piece of account security. You can layer on additional authentication steps at any point in the user session for additional account security.

For example, you could have your user click an Embeddable Magic Link that brings them directly into their account, or you could place additional passwordless authentication steps before sensitive actions. An example of additional multi-factor authentication might be requiring a one time password (OTP) before updating a credit card.

Embeddable Magic Links are secure for two reasons.

First, Embeddable Magic Links are a type of passwordless authentication, which is generally more secure when compared to password based authentication.

Passwords are vulnerable to a variety of password based attacks where bad actors attempt to compromise passwords and gain access to various accounts and platforms.

Second, all Embeddable Magic Links are unique to each user and time-sensitive. This means if someone does manage to access a user’s Embeddable Magic Link, it’s still highly unlikely they’ll be able to use an Embeddable Magic Link to take over their account in your application.

This is because Stytch has built in additional security features that are more unique to our Embeddable Magic Links.

For instance, you can include the IP address and/or user agent when the user creates the token. Including this information means that the authentication server (i.e. Stytch) will also check the IP address and/or user agent in the embedded token against the user’s at the moment they click on the link.

Adding these attributes to the Embeddable Magic Link token ensures that the same user who started the flow is the user finishing the flow. (i.e. if a link is stolen, the IP address and user agent will be different, so Stytch will fail the login).

No. Once your user authenticates with an Embeddable Magic Link, the code will expire and it cannot be reused.

For login and signup purposes, no – each Embeddable Magic Link is created uniquely for each user’s account.

In practice, however, anybody with access to the Embeddable Magic Link can use it. This account takeover risk can be reduced using Stytch’s additional security features discussed above.

Yes. Embeddable Magic Links will work as long as the token is valid, which can be configured to your specific auth and security needs.

Stytch Embeddable Magic Links stay active anywhere from five minutes to seven days. Teams focused on security might choose a shorter token lifetime to reduce risk of account takeovers. If there is no sensitive data involved, however, a longer token can be an easy user experience.