Magic Links

Allow users to log in with a secure email link instead of a password.

Magic Links allow users to log in by simply clicking a link sent to their email address. This reduces friction for users who forget their passwords and improves security by eliminating weak user-chosen passwords.

How It Works

The Magic Link flow is designed to work seamlessly between the decoupled Frontend and Backend:

User Requests Link

User enters their email on the Nuxt login page and clicks "Login".

Backend Validation

AdonisJS validates the email exists in the database.

Job Queued

The email job is pushed to the Redis Queue via BullMQ. The API responds immediately with a success message—no waiting for email delivery.

Email Sent

The background worker processes the job and sends an email containing a cryptographically signed URL.

User Clicks Link

User clicks the magic link in their email. The request hits the Backend API verification endpoint.

Token Created

AdonisJS verifies the signature and expiration. If valid, it creates a JWT access token and redirects to the frontend with the token.

User Authenticated

The frontend receives the token, stores it, and redirects the user to the dashboard.

API Endpoints

Method	Endpoint	Description
`POST`	`/users/login/magic-link`	Request a magic link email
`GET`	`/users/login/magic-link/:email/verify`	Verify the magic link (signed URL)

Security Features

The magic link implementation includes several security measures:

Signed URLs

Links are cryptographically signed using AdonisJS's built-in URL signing, preventing tampering.

Short Expiration

Links expire after 5 minutes by default, minimizing the window for potential misuse.

Device Tracking

Each token is named with browser/device info, allowing users to see active sessions.

No Email Enumeration

The API returns the same response whether the user exists or not, preventing attackers from discovering valid emails.

Frontend Features

The login page provides a tabbed interface where users can choose between:

Email/Password — Traditional login
Magic Link — Passwordless login

When using magic links:

Form validation with helpful error messages
Loading state while the request is processing
Success toast when the email is sent
If the email isn't found, the user is redirected to signup with their email pre-filled

Email Template

The magic link email includes:

Personalized greeting with the user's first name
Clear call-to-action button
Expiration warning
Plain text fallback for email clients that don't support HTML

During development, all emails are caught by MailHog. View them at http://localhost:8025.

Error Handling

Error	Cause	User Experience
Link expired	User waited too long to click	Error message, prompted to request new link
Invalid signature	Link was modified or corrupted	Error message on login page
User not found	Email doesn't exist	Redirected to signup page

Customization

You can easily customize the magic link behavior:

Expiration time — Change how long links remain valid
Email template — Modify the HTML/text templates in resources/views/emails/
Queue priority — Adjust job priority for faster delivery

The magic link system uses the same queue infrastructure as other emails (verification, password reset, invitations), ensuring consistent delivery.

Edit this pageorReport an issue

Social Login

Configure authentication via Google, GitHub, Facebook and other OAuth providers.

Stripe Configuration

Setting up Stripe for payments.