What magic link login involves
Magic link login means the user enters their email, receives a signed one-time link, and clicks it to sign in. There is no password to choose, store, or leak. The work is in signing the token, expiring it, accepting it once, and getting the email delivered reliably.
The user experience is simple: type an email, get a link, click it, you are in. Behind it, your server creates a signed token tied to that email, embeds it in a link, and emails it. When the user clicks, your server checks the token is valid, unexpired, and unused, then opens a session.
Because there is no shared password, a magic link removes a whole class of risk: nothing reusable to phish, breach, or reset. Clicking the link also proves the user controls the inbox, so it doubles as email verification.
For how this fits with sessions and roles, see the SaaS authentication guide. We run magic-link sign-in on thebridge.dev in production, and in The Bridge it is a toggle on the hosted login box, with no keys to paste and no redeploy.
