Magic link login
There are three parts to Magic link based login:
- Creating and sending the magic link to the user.
- Allowing the user to resend a (new) magic link if they want.
- Consuming the link (when clicked) to login the user.
note
The same flow applies during sign up and sign in. If the user is signing up, the createdNewUser
boolean on the frontend and backend will be true
(as the result of the consume code API call).
#
Step 1: Sending the Magic linkSuperTokens allows you to send a magic link to a user's email or phone number. You have already configured this setting on the backend SDK init
function call in "Initialisation" section.
Start by making a form which asks the user for their email or phone, and then call the following API to create and send them a magic link
- Web
- Mobile
- Via NPM
- Via Script Tag
import { createPasswordlessCode } from "supertokens-web-js/recipe/thirdpartypasswordless";
async function sendMagicLink(email: string) { try { let response = await createPasswordlessCode({ email }); /** * For phone number, use this: let response = await createPasswordlessCode({ phoneNumber: "+1234567890" }); */
// Magic link sent successfully. window.alert("Please check your email for the magic link"); } catch (err: any) { if (err.isSuperTokensGeneralError === true) { // this may be a custom error message sent from the API by you, // or if the input email / phone number is not valid. window.alert(err.message); } else { window.alert("Oops! Something went wrong."); } }}
async function sendMagicLink(email: string) { try { let response = await supertokensThirdPartyPasswordless.createPasswordlessCode({ email }); /** * For phone number, use this: let response = await supertokensThirdPartyPasswordless.createPasswordlessCode({ phoneNumber: "+1234567890" }); */
// Magic link sent successfully. window.alert("Please check your email for the magic link"); } catch (err: any) { if (err.isSuperTokensGeneralError === true) { // this may be a custom error message sent from the API by you, // or if the input email / phone number is not valid. window.alert(err.message); } else { window.alert("Oops! Something went wrong."); } }}
For email based login
curl --location --request POST '<YOUR_API_DOMAIN>/auth/signinup/code' \--header 'rid: thirdpartypasswordless' \--header 'Content-Type: application/json' \--data-raw '{ "email": "johndoe@gmail.com"}'
For phone number based login
curl --location --request POST '<YOUR_API_DOMAIN>/auth/signinup/code' \--header 'rid: thirdpartypasswordless' \--header 'Content-Type: application/json' \--data-raw '{ "phoneNumber": "+1234567890"}'
The response body from the API call has a status
property in it:
status: "OK"
: This means that the magic link was successfully sent.status: "GENERAL_ERROR"
: This is possible if you have overriden the backend API to send back a custom error message which should be displayed on the frontend, or if the input email or password failed the backend validation logic.
The response from the API call is the following object (in case of status: "OK"
):
{ status: "OK"; deviceId: string; preAuthSessionId: string; flowType: "USER_INPUT_CODE" | "MAGIC_LINK" | "USER_INPUT_CODE_AND_MAGIC_LINK"; fetchResponse: Response; // raw fetch response from the API call}
You want to save the deviceId
and preAuthSessionId
on the frontend storage. These will be useful to:
- Resend a new magic link.
- Detect if the user has already sent a magic link before or if this is an entirely new login attempt. This distinction can be important if you have different UI for these two states. For example, if this info already exists, you do not want to show the user an input box to enter their email / phone, and instead want to show them the resend link button.
#
Changing the magic link URL, or deep linking it to your appBy default, the magic link will point to the websiteDomain
that is configured on the backend, on the /auth/verify
route (where /auth
is the default value of websiteBasePath
).
If you want to change this to a different path, a different domain, or deep link it to your mobile / desktop app, then you can do so on the backend in the following way:
- NodeJS
- GoLang
- Python
import SuperTokens from "supertokens-node";import ThirdPartyPasswordless from "supertokens-node/recipe/thirdpartypasswordless";import Session from "supertokens-node/recipe/session";
SuperTokens.init({ appInfo: { apiDomain: "...", appName: "...", websiteDomain: "..." }, recipeList: [ ThirdPartyPasswordless.init({ contactMethod: "EMAIL", // This example will work with any contactMethod // This example works with the "USER_INPUT_CODE_AND_MAGIC_LINK" and "MAGIC_LINK" flows. flowType: "USER_INPUT_CODE_AND_MAGIC_LINK",
emailDelivery: { override: (originalImplementation) => { return { ...originalImplementation, sendEmail: async function (input) { if (input.type === "PASSWORDLESS_LOGIN") { return originalImplementation.sendEmail({ ...input, urlWithLinkCode: input.urlWithLinkCode?.replace( // This is: `${websiteDomain}${websiteBasePath}/verify` "http://localhost:3000/auth/verify", "http://your.domain.com/your/path" ) }) } return originalImplementation.sendEmail(input); } } } } }), Session.init({ /* ... */ }) ]});
import ( "strings"
"github.com/supertokens/supertokens-golang/ingredients/emaildelivery" "github.com/supertokens/supertokens-golang/recipe/thirdpartypasswordless" "github.com/supertokens/supertokens-golang/recipe/thirdpartypasswordless/tplmodels" "github.com/supertokens/supertokens-golang/supertokens")
func main() { supertokens.Init(supertokens.TypeInput{ RecipeList: []supertokens.Recipe{ thirdpartypasswordless.Init(tplmodels.TypeInput{ EmailDelivery: &emaildelivery.TypeInput{ Override: func(originalImplementation emaildelivery.EmailDeliveryInterface) emaildelivery.EmailDeliveryInterface { ogSendEmail := *originalImplementation.SendEmail (*originalImplementation.SendEmail) = func(input emaildelivery.EmailType, userContext supertokens.UserContext) error { // By default: `${websiteDomain}/${websiteBasePath}/verify` newUrl := strings.Replace( *input.PasswordlessLogin.UrlWithLinkCode, "http://localhost:3000/auth/verify", "http://localhost:3000/custom/path", 1, ) input.PasswordlessLogin.UrlWithLinkCode = &newUrl return ogSendEmail(input, userContext) } return originalImplementation }, }, }), }, })}
from supertokens_python import init, InputAppInfofrom supertokens_python.recipe.thirdpartypasswordless.types import EmailDeliveryOverrideInput, EmailTemplateVarsfrom supertokens_python.recipe import thirdpartypasswordlessfrom typing import Dict, Anyfrom supertokens_python.ingredients.emaildelivery.types import EmailDeliveryConfig
def custom_email_deliver(original_implementation: EmailDeliveryOverrideInput) -> EmailDeliveryOverrideInput: original_send_email = original_implementation.send_email
async def send_email(template_vars: EmailTemplateVars, user_context: Dict[str, Any]) -> None: assert template_vars.url_with_link_code is not None # By default: `${websiteDomain}/${websiteBasePath}/verify` template_vars.url_with_link_code = template_vars.url_with_link_code.replace( "http://localhost:3000/auth/verify", "http://localhost:3000/custom/path") return await original_send_email(template_vars, user_context)
original_implementation.send_email = send_email return original_implementation
init( app_info=InputAppInfo(api_domain="...", app_name="...", website_domain="..."), framework='...', recipe_list=[ thirdpartypasswordless.init( email_delivery=EmailDeliveryConfig(override=custom_email_deliver) ) ])
#
Step 2: Resending a (new) Magic linkAfter sending the initial magic link to the user, you may want to display a resend button to them. When the user clicks on this button, you should call the following API
- Web
- Mobile
- Via NPM
- Via Script Tag
import { resendPasswordlessCode } from "supertokens-web-js/recipe/thirdpartypasswordless";
async function resendMagicLink() { try { let response = await resendPasswordlessCode();
if (response.status === "RESTART_FLOW_ERROR") { // this can happen if the user has already successfully logged in into // another device whilst also trying to login to this one. window.alert("Login failed. Please try again"); window.location.assign("/auth") } else { // Magic link resent successfully. window.alert("Please check your email for the magic link"); } } catch (err: any) { if (err.isSuperTokensGeneralError === true) { // this may be a custom error message sent from the API by you. window.alert(err.message); } else { window.alert("Oops! Something went wrong."); } }}
async function resendMagicLink() { try { let response = await supertokensThirdPartyPasswordless.resendPasswordlessCode();
if (response.status === "RESTART_FLOW_ERROR") { // this can happen if the user has already successfully logged in into // another device whilst also trying to login to this one. window.alert("Login failed. Please try again"); window.location.assign("/auth") } else { // Magic link resent successfully. window.alert("Please check your email for the magic link"); } } catch (err: any) { if (err.isSuperTokensGeneralError === true) { // this may be a custom error message sent from the API by you. window.alert(err.message); } else { window.alert("Oops! Something went wrong."); } }}
curl --location --request POST '<YOUR_API_DOMAIN>/auth/signinup/code/resend' \--header 'rid: thirdpartypasswordless' \--header 'Content-Type: application/json' \--data-raw '{ "deviceId": "...", "preAuthSessionId": "...."}'
The response body from the API call has a status
property in it:
status: "OK"
: This means that the magic link was successfully sent.status: "RESTART_FLOW_ERROR"
: This can happen if the user has already successfully logged in into another device whilst also trying to login to this one. You want to take the user back to the login screen where they can enter their email / phone number again. Be sure to remove the storeddeviceId
andpreAuthSessionId
from the frontend storage.status: "GENERAL_ERROR"
: This is possible if you have overriden the backend API to send back a custom error message which should be displayed on the frontend.
#
How to detect if the user is in (Step 1) or in (Step 2) state?If you are building the UI for (Step 1) and (Step 2) on the same page, and if the user refreshes the page, you need a way to know which UI to show - the enter email / phone number form; or the resend magic link form.
- Web
- Mobile
- Via NPM
- Via Script Tag
import { getPasswordlessLoginAttemptInfo } from "supertokens-web-js/recipe/thirdpartypasswordless";
async function hasInitialMagicLinkBeenSent() { return await getPasswordlessLoginAttemptInfo() !== undefined;}
async function hasInitialMagicLinkBeenSent() { return await supertokensThirdPartyPasswordless.getPasswordlessLoginAttemptInfo() !== undefined;}
If hasInitialMagicLinkBeenSent
returns true
, it means that the user has already sent the initial magic link to themselves, and you can show the resend link UI (Step 2). Else show a form asking them to enter their email / phone number (Step 1).
Since you save the preAuthSessionId
and deviceId
after the initial magic link is sent, you can know if the user is in (Step 1) vs (Step 2) by simply checking if these tokens are stored on the device.
If they aren't, you should follow (Step 1), else follow (Step 2).
important
You need to clear these tokens if the user navigates away from the (Step 2) page, or if you get a RESTART_FLOW_ERROR
at any point in time from an API call, or if the user has successfully logged in.
#
Step 3: Consuming the Magic linkThis section talks about what needs to be done when the user clicks on the Magic link. There are two situations here:
- The user clicks the Magic link on the same browser & device as the one they had started the flow on.
- The user clicks the link on a different browser or device.
In order to detect which it is, you can do the following:
- Web
- Mobile
- Via NPM
- Via Script Tag
import { getPasswordlessLoginAttemptInfo } from "supertokens-web-js/recipe/thirdpartypasswordless";
async function isThisSameBrowserAndDevice() { return await getPasswordlessLoginAttemptInfo() !== undefined;}
async function isThisSameBrowserAndDevice() { return await supertokensThirdPartyPasswordless.getPasswordlessLoginAttemptInfo() !== undefined;}
Since you save the preAuthSessionId
and deviceId
, you can check if they exist on the app. If they do, then it's the same device that the user has opened the link on, else it's a different device.
#
If on the same device & browser- Web
- Mobile
On page load, you can consume the magic link by calling the following function
- Via NPM
- Via Script Tag
import { consumePasswordlessCode } from "supertokens-web-js/recipe/thirdpartypasswordless";
async function handleMagicLinkClicked() { try { let response = await consumePasswordlessCode();
if (response.status === "OK") { if (response.createdNewUser) { // user sign up success } else { // user sign in success } window.location.assign("/home") } else { // this can happen if the magic link has expired or is invalid window.alert("Login failed. Please try again"); window.location.assign("/auth") } } catch (err: any) { if (err.isSuperTokensGeneralError === true) { // this may be a custom error message sent from the API by you. window.alert(err.message); } else { window.alert("Oops! Something went wrong."); } }}
async function handleMagicLinkClicked() { try { let response = await supertokensThirdPartyPasswordless.consumePasswordlessCode();
if (response.status === "OK") { if (response.createdNewUser) { // user sign up success } else { // user sign in success } window.location.assign("/home") } else { // this can happen if the magic link has expired or is invalid window.alert("Login failed. Please try again"); window.location.assign("/auth") } } catch (err: any) { if (err.isSuperTokensGeneralError === true) { // this may be a custom error message sent from the API by you. window.alert(err.message); } else { window.alert("Oops! Something went wrong."); } }}
You need to extract the linkCode
and preAuthSessionId
from the Magic link. For example, if the Magic link is
https://example.com/auth/verify?rid=thirdpartypasswordless&preAuthSessionId=PyIwyA6VjdjNF5ggMV960rs3QXupRP2PEg2KcN5oi8s=#s4hxpBPnRC3xwBsCkFU228lh_CWe5HUBMRPowajsrgs=
Then the preAuthSessionId
is the value of the query param preAuthSessionId
(PyIwyA6VjdjNF5ggMV960rs3QXupRP2PEg2KcN5oi8s=
in the example), and the linkCode
is the part after the #
(s4hxpBPnRC3xwBsCkFU228lh_CWe5HUBMRPowajsrgs=
in our example).
We can then use these to call the consume API
curl --location --request POST '<YOUR_API_DOMAIN>/auth/signinup/code/consume' \--header 'rid: thirdpartypasswordless' \--header 'Content-Type: application/json' \--data-raw '{ "linkCode": "s4hxpBPnRC3xwBsCkFU228lh_CWe5HUBMRPowajsrgs=", "preAuthSessionId": "PyIwyA6VjdjNF5ggMV960rs3QXupRP2PEg2KcN5oi8s="}'
The response body from the API call has a status
property in it:
status: "OK"
: User sign in / up was successful. The response also contains more information about the user, for example their user ID, and if it was a new user or existing user.status: "INCORRECT_USER_INPUT_CODE_ERROR" | "EXPIRED_USER_INPUT_CODE_ERROR" | "RESTART_FLOW_ERROR"
: These responses indicate that the Magic link was invalid or expired.status: "GENERAL_ERROR"
: This is possible if you have overriden the backend API to send back a custom error message which should be displayed on the frontend.
note
On success, the backend will send back session tokens as part of the response headers which will be automatically handled by our frontend SDK for you.
#
If on a different device or browserIn this case, you want to show some UI that requires a user interaction before consuming the magic link. This is to protect against email clients opening the magic link on their servers and consuming the link. For example, you could show a button with text like - "Click here to login into this device".
On click, you can consume the magic link to log the user into that device. Follow the instructions in the above section to know which function / API to call.