Magic Link Login
Cryptographically signed one-time URLs that log users in without a password. Configurable expiry.
Magic-Link
At a glance
Email OTP (Premium)
6-digit codes sent after link click. Defeats malicious URL forwarding and email preview scanners.
TOTP / MFA (Advanced)
Google Authenticator, Authy, 1Password, and any RFC 6238 compliant app. Enforce per-user or per-role.
Rate Limiting
Configurable per-IP and per-email throttles. Automatic IP banning for suspicious activity.
JWT Sessions
Standard Strapi JWT sessions. Integrate with Magic-Sessionmanager for revocation.
Auto User Creation
New emails automatically create users (configurable). No manual admin work for onboarding.
Quick install
bash
npm install strapi-plugin-magic-link-v5typescript
// config/plugins.ts
export default () => ({
'magic-link': { enabled: true },
});bash
npm run build && npm run developMagic-Link requires an email provider. We recommend Magic-Mail which is integrated out of the box. Alternatively, install any Strapi email provider.
How magic-link auth works
1. User enters email address
2. Magic-Link generates a signed token (HMAC) with 15-min TTL
3. Token sent via email as https://yourapp.com/auth/magic?token=...
4. User clicks link -> server validates token + signature + expiry
5. If valid: JWT issued, user logged in
6. Token is immediately invalidated (one-time use)Authentication modes
Choose the mode that fits your security posture:
| Mode | Steps | Security | Tier |
|---|---|---|---|
| Magic Link only | 1. Enter email → 2. Click link → ✓ | Good | Free |
| Link + Email OTP | 1. Enter email → 2. Click link → 3. Enter 6-digit code → ✓ | Very good | Premium |
| Link + TOTP | 1. Enter email → 2. Click link → 3. Enter authenticator code → ✓ | Excellent | Advanced |
| TOTP-only | 1. Enter email + username + TOTP → ✓ | Excellent | Advanced |
| Password + MFA | Traditional login + TOTP | Excellent | Advanced |
REST API
Magic-Link exposes Strapi REST endpoints:
| Method | Path | Purpose |
|---|---|---|
| POST | /api/magic-link/send | Send a magic link to an email |
| GET | /api/magic-link/verify?token=... | Verify link, return JWT |
| POST | /api/magic-link/otp/verify | Submit email OTP (Premium) |
| POST | /api/magic-link/totp/enroll | Start TOTP enrollment (Advanced) |
| POST | /api/magic-link/totp/verify | Submit TOTP code (Advanced) |
See API Reference for full details.
Security features
- HMAC-SHA256 token signing — tokens cannot be forged without the secret key.
- One-time use — tokens are invalidated after first successful verification.
- Configurable TTL — default 15 minutes, tunable per-deployment.
- Rate limiting — per-IP and per-email throttles prevent enumeration.
- IP banning — auto-ban after N failed attempts, with configurable unban window.
- JWT rotation — sessions can be revoked via Magic-Sessionmanager integration.
- PKCE-ready — supports PKCE flow for SPA/mobile clients on Advanced tier.
- Constant-time comparison — prevents timing attacks on token validation.
Pricing
| Feature | Free | Premium | Advanced |
|---|---|---|---|
| Magic link auth | ✓ | ✓ | ✓ |
| Token management | ✓ | ✓ | ✓ |
| Rate limiting + IP ban | ✓ | ✓ | ✓ |
| JWT sessions | ✓ | ✓ | ✓ |
| Auto user creation | ✓ | ✓ | ✓ |
| Email OTP (2FA) | — | ✓ | ✓ |
| TOTP authenticator | — | — | ✓ |
| TOTP-only login | — | — | ✓ |
| MFA enforcement | — | — | ✓ |
| Priority support | — | — | ✓ |
| Price | $0 | $14.50/month | $39.50/month |
Next steps
Related plugins
- Magic-Mail — Sends the authentication emails. Pre-integrated.
- Magic-Sessionmanager — Track sessions created by Magic-Link, force logout, detect suspicious activity.
Made by Joulee Tech GmbH. Free tier · 30-day money-back guarantee on paid tiers.