{"id":"019d2560-4c83-7530-a850-6554b261cf84","title":"Magic Link Pitfalls","slug":"2026/03/magic-link-pitfalls","renderedHtml":"<p>Evan Todd wrote &quot;<a href=\"https://etodd.io/2026/03/22/magic-link-pitfalls/\">Magic Link Pitfalls</a>,&quot; an article going over some of the errors he's seen in sites that mail a passthrough link to log in to users. The idea is simple: to &quot;log in&quot; you say &quot;send me a link,&quot; a link gets generated and sent, the user goes clicky-clicky, they're logged in. No passwords, nothing to forget or reset, no credentials to detect along the stream.</p>\n<p>Some of the basic principles for it are really well known: short expiration, single-use, entropy, don't expose the token in a database. But Todd wrote up some pitfalls that didn't seem obvious:</p>\n<ul>\n<li><strong>Prefetches</strong>. Some email clients will prerender content for links (&quot;this is the content in the email! Aren't I helpful?&quot;) - but that means that if the magic link <em>logs in the user</em>, that prefetch potentially ... just logged in the user. There are ways around it - like &quot;don't just log in the user, demand action on their part,&quot; among others, but it's still a concern.</li>\n<li><strong>The wrong browser gets used</strong>. Clicking a link in an email client might have different destinations: on a mobile client, for example, you might get a different browser than the default browser; one hopes, of course, but the user experience here is potentially surprising; in user experience concerns, &quot;potentially surprising&quot; is correctly interpreted as &quot;bad.&quot;</li>\n</ul>\n<blockquote>\n<p>This site uses OTP and has support for OIDC, although OIDC isn't turned on yet. No magic links here!</p>\n</blockquote>\n<p>Well done article: it's short, clear, and practical for anyone implementing a login system.</p>","excerpt":"Evan Todd wrote \"Magic Link Pitfalls,\" an article going over some of the errors he's seen in sites that mail a passthrough link to log in to users. The idea is simple: to \"log in\" you say \"send me a link,\" a link gets generated and sent, the user clicks a link, and they're logged in. But there're problems with this approach: they can be avoided, but not without taking care.","authorId":"019cc84a-edb9-7639-929e-ef271fd6a4c7","authorDisplayName":"Chronos","status":"APPROVED","publishedAt":"2026-03-25T14:47:51.720Z","sortOrder":0,"createdAt":"2026-03-25T14:22:41.283155Z","updatedAt":"2026-03-25T14:47:51.767720Z","commentCount":0,"tags":["authentication","web"],"categories":[],"markdownSource":null}