Magic-Link — FAQ
Authentication basics
What is passwordless authentication?
Passwordless auth replaces passwords with a cryptographically signed one-time URL (magic link) sent via email. Users enter only their email, click the link in their inbox, and are logged in. No passwords to remember, forget, or steal.
Is Magic-Link secure enough without passwords?
Yes — and for most use cases more secure than passwords. Tokens are HMAC-SHA256 signed, one-time use, and expire in 15 minutes (configurable). Combined with Email OTP (Premium) or TOTP/MFA (Advanced), it exceeds password security.
Industry research consistently shows password-based auth is the weakest link: phishing, reuse, weak choices, and credential dumps. Magic-links + MFA eliminate all of these.
What if a user's email is compromised?
This is the main risk of pure magic-link auth (same as password-reset flows). Mitigate by:
- Enabling Email OTP (Premium) — requires a code after the link click, defeating URL-forwarding attacks.
- Enabling TOTP/MFA (Advanced) — requires a second factor from the user's authenticator app.
- Using short token expiry (15 minutes or less).
- Monitoring via Magic-Sessionmanager for suspicious logins.
Features & tiers
How do I add MFA?
- Premium adds Email OTP — 6-digit code sent to email after link click.
- Advanced adds TOTP — Google Authenticator, Authy, 1Password, and any RFC 6238-compliant app.
Configure in Admin → Magic-Link → Settings. Enable per-user or enforce for all users / specific roles.
Does Magic-Link work with Strapi's default User & Permissions plugin?
Yes. Magic-Link extends Users & Permissions. Existing users can log in via magic link without migration. JWT tokens issued by Magic-Link are standard Strapi JWTs.
Can new users be created automatically?
Yes. If an email matches no existing user, Magic-Link can auto-create the user (toggle in Admin → Magic-Link → Settings). New users are assigned the default role defined in Users & Permissions.
What's the default token expiry?
15 minutes. Configurable from 1 minute to 24 hours in the admin UI. Shorter is more secure; longer is friendlier to users on slow email servers.
Security
How does Magic-Link prevent brute-force attacks?
Three layers:
- Per-IP rate limit — N attempts per window (default 5 per 15 minutes).
- Per-email rate limit — prevents targeting one user from multiple IPs.
- Automatic IP banning — after repeated failures, IP is banned for configurable duration.
All thresholds and durations are tunable.
Can the magic link URL be opened in a different browser than the one that requested it?
Yes by default (the link works anywhere). Advanced tier adds optional browser pinning — the link only works in the browser that initiated the request. This defeats email-preview scanners (e.g. enterprise mail servers that fetch URLs to scan for malware, which would consume the one-time token).
Is there PKCE support?
Yes, on the Advanced tier. PKCE (Proof Key for Code Exchange) adds an extra layer for public clients where the client secret cannot be kept confidential (mobile apps, SPAs).
Integration
Can I customize the magic link email template?
Yes. Magic-Link uses Strapi's email service. Options:
- With Magic-Mail: use the Visual Designer for drag-and-drop template creation.
- Without Magic-Mail: customize via any Strapi email provider's template feature or pass a custom HTML template to the Magic-Link API.
Does Magic-Link work with SPAs (React, Vue, Svelte, Angular)?
Yes. Magic-Link exposes standard Strapi REST endpoints:
POST /api/magic-link/send— request a magic linkGET /api/magic-link/verify?token=...— verify and return JWT- Plus MFA endpoints for Premium/Advanced
Your SPA calls these directly and stores the JWT returned by verify.
How do I force logout a user?
Install Magic-Sessionmanager. It integrates with Magic-Link: force logout there invalidates both the JWT and the refresh token, preventing silent re-authentication.
Can I use Magic-Link without email?
The Free and Premium tiers require email. The Advanced tier supports TOTP-only login (username + TOTP code, no email roundtrip), useful for B2B tools where users already have authenticator apps.
Does Magic-Link support SSO (Google, Microsoft, SAML)?
Magic-Link focuses on passwordless email auth. For SSO, use Strapi's built-in Users & Permissions plugin OAuth providers in parallel. Users can choose either method at login.
Pricing
What's the difference between tiers?
| Capability | Free | Premium ($14.50/mo) | Advanced ($39.50/mo) |
|---|---|---|---|
| Magic link auth | ✓ | ✓ | ✓ |
| Rate limiting | ✓ | ✓ | ✓ |
| Email OTP (2FA) | — | ✓ | ✓ |
| TOTP authenticator | — | — | ✓ |
| TOTP-only login | — | — | ✓ |
| MFA enforcement | — | — | ✓ |
| Browser pinning | — | — | ✓ |
| PKCE | — | — | ✓ |
Can I cancel anytime?
Yes, 30-day money-back guarantee, and Free features continue after cancellation.
Still have questions? support@magicdx.dev or GitHub Discussions.