Embeddable Magic Links

Frictionless login from any customer touchpoint

Use our API to weave magic links into your marketing comms. By embedding tokens into the CTAs in your email, SMS, or other marketing campaigns, you can allow users to jump into your app without having to re-authenticate and drive up to a 300% conversion improvement.
Screenshot of embeddable magic link email

Embeddable Magic Links

Reduce friction

Use our magic link create endpoint to embed magic links into all of your end-user communications, and ultimately improve both conversion and retention.
Screenshot of grocery order email
Screenshot of engagement survey email

Just-in-time authentication

Layer on multiple auth methods

Layer on step-up authentication (using SMS OTP for example) at any point throughout your user’s session for additional security.
Screenshot of jit authentication mobile passcode message
Screenshot of jit authentication mobile message

Drive conversion & retention

Remove user friction when re-engaging by having them magically sign in with one click.

Adapt your auth logic

Weave together any of Stytch's other passwordless products to protect even the most sensitive user actions.

Embed into any use case

Integrate magic links into any use case you can imagine — cart abandonment emails, promotional texts, links to bank statements, and more.

How it works

Weave into a range of customer interactions, with ease

Embed magic links into your existing user comms — seamlessly log in your users directly from their email or SMS inbox — and guide them back to an authenticate experience.


What are Embeddable Magic Links?

Embeddable Magic Links enable developers to integrate one-click authentication and account creation seamlessly into any end user communication flow.

Similar to Email Magic Links, which are login URLs with auth tokens attached as parameters, Embeddable Magic Links create a one-time, one-click way to authenticate users. This makes them a user-friendly alternative to passwords – no more lengthy "forgot password" reset flows or a password manager to contend with.

The key difference from magic link emails, however, is that while with Email Magic Links the link must be delivered over email, you can embed Embeddable Magic Links anywhere you want within the delivery method of your choice.

Here are a couple (of many) potential use cases:

  • Promote ecommerce deals by texting an Embeddable Magic Link within a “Finish checking out” CTA and bring your user back to their cart already logged in.
  • Send a direct message to customers for support issues with Embeddable Magic Links to bring them to a specific point in your platform in an authenticated state.

Whereas Email Magic Links are used purely for logging into an account, Embeddable Magic Links are more expansive.

How do Embeddable Magic Links work?

Embeddable Magic Links and Email Magic Links function similarly, with just a few lines of code’s difference. Here's a breakdown of the authentication process:

  1. Create an Embeddable Magic Link token with Stytch API call.
  2. Embed the token in a link and your delivery method of choice (user's email address, SMS, CTA button, etc.).
  3. Once the user clicks the link, authenticate the token with a Stytch API call to login and create a session.

From here, it's up to you how to manage the rest of the login process. You can either start a user session or add additional authentication steps (more on this below).

Can Embeddable Magic Links work with multi-factor authentication?

Yes, Embeddable Magic Links can be just one piece of account security. You can layer on additional authentication steps at any point in the user session for additional account security.

For example, you could have your user click an Embeddable Magic Link that brings them directly into their account, or you could place additional passwordless authentication steps before sensitive actions. An example of additional multi-factor authentication might be requiring a one time password (OTP) before updating a credit card.

Are Embeddable Magic Links a secure authentication method?

Embeddable Magic Links are secure for two reasons.

First, Embeddable Magic Links are a type of passwordless authentication, which is generally more secure when compared to password based authentication.

Passwords are vulnerable to a variety of password based attacks where bad actors attempt to compromise passwords and gain access to various accounts and platforms.

Second, all Embeddable Magic Links are unique to each user and time-sensitive. This means if someone does manage to access a user’s Embeddable Magic Link, it’s still highly unlikely they’ll be able to use an Embeddable Magic Link to take over their account in your application.

This is because Stytch has built in additional security features that are more unique to our Embeddable Magic Links.

For instance, you can include the IP address and/or user agent when the user creates the token. Including this information means that the authentication server (i.e. Stytch) will also check the IP address and/or user agent in the embedded token against the user’s at the moment they click on the link.

Adding these attributes to the Embeddable Magic Link token ensures that the same user who started the flow is the user finishing the flow. (i.e. if a link is stolen, the IP address and user agent will be different, so Stytch will fail the login).

Can an Embeddable Magic Link be used more than once?

No. Once your user authenticates with an Embeddable Magic Link, the code will expire and it cannot be reused.

Can Embeddable Magics Links be used by more than one user?

For login and signup purposes, no – each Embeddable Magic Link is created uniquely for each user’s account.

In practice, however, anybody with access to the Embeddable Magic Link can use it. This account takeover risk can be reduced using Stytch’s additional security features discussed above.

Do Embeddable Magic Links time out?

Yes. Embeddable Magic Links will work as long as the token is valid, which can be configured to your specific auth and security needs.

Stytch Embeddable Magic Links stay active anywhere from five minutes to seven days. Teams focused on security might choose a shorter token lifetime to reduce risk of account takeovers. If there is no sensitive data involved, however, a longer token can be an easy user experience.

Our platform

Explore other authentication products

Pick the product that’s most suited to your app and user experience by choosing from a range of options.