← Back to Docs
Authentication

Magic Link Login Flow

Passwordless email authentication with time-limited, single-use links.

Overview

Meridian uses magic links to authenticate users without passwords. A user enters their email, receives a signed link, and clicks it to establish a session. Links expire after 15 minutes and are consumed on first use.

Step 1 — Request

POST /api/auth/magic/request

{
  "email": "user@example.com"
}

Rate-limited to 3 requests per email per 15-minute window. Returns 200 regardless of whether the email exists — no user enumeration.

Step 2 — Delivery

A signed JWT token is embedded in the link. The signature uses HMAC-SHA256 with a server-side secret. The token payload contains the user ID, email, issued-at timestamp, and a cryptographically random nonce stored in Upstash KV for single-use enforcement.

Email link format:

https://getnimbus.net/auth/verify?token=eyJhbG...xyz

Step 3 — Verify

GET /api/auth/magic/verify?token=...

  • Validates JWT signature and expiration (15 min max age)
  • Checks nonce exists in KV — rejects if already consumed
  • Deletes nonce atomically to prevent replay
  • Sets httpOnly, Secure, SameSite=Lax session cookie
  • Redirects to /dashboard on success, /login?error=expired on failure

Security Properties

Token lifetime

15 minutes

Replay protection

Single-use nonce in KV

Transmission

TLS-only, link in email body

Cookie flags

httpOnly, Secure, SameSite=Lax

Next: Session management and token refresh