Magic Link is the simplest authentication method to integrate and the easiest for users. They enter an email, Authaz sends a code, they paste it in. No password to remember, no app to install.
# Enable magic link for an applicationcurl -X PUT https://your-app.authaz.io/api/v1/applications/{appId}/auth/magic-link \ -H "X-API-Key: $AUTHAZ_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "enabled": true, "expirationMinutes": 10 }'
The button shows up on Universal Login automatically.
How long a code stays valid after Authaz emails it.
rateLimit.maxRequests
3
Codes per email per windowMinutes.
rateLimit.windowMinutes
15
Sliding window for the rate limit.
The codes themselves are 32-byte URL-safe random tokens. They are single-use and rotate on each request — there's no separate "code length" or "alphanumeric vs numeric" knob; the format is fixed for security.
The magic link email pulls subject, greeting, and CTA copy from your application's email template. Edit it in Dashboard → Application → Communications → Email Templates → Magic Link (see the Communications page), or programmatically:
curl -X PUT https://your-app.authaz.io/api/v1/applications/{appId}/email-templates/magic-link \ -H "X-API-Key: $AUTHAZ_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "subject": "Your sign-in link to {{appName}}", "html": "<p>Hello {{userEmail}},</p><p>Click <a href=\"{{magicLink}}\">here</a> to sign in.</p>", "text": "Hello {{userEmail}}, sign in: {{magicLink}}" }'
Available variables: {{appName}}, {{userEmail}}, {{magicLink}}, {{code}}, {{expirationMinutes}}.
Onboarding-first products where typing a password is friction.
Low-frequency apps users sign into a few times a year — they'd reset their password anyway.
Mobile-first signup where the email naturally arrives on the same device.
Backup method alongside password or passkey — if a user's primary method fails, Magic Link still works as long as they control their email.
It's not a great fit for high-security workflows where someone with email access shouldn't be able to assume the user's identity. Pair it with MFA, or use Passkey instead.
