Envello
Tutorial

Magic link login emails: security tradeoffs most guides skip

Envello Team·2026-07-17·5 min read

A magic link is convenient precisely because it's a bearer token: whoever has the link is treated as authenticated. That convenience is also the entire security tradeoff, and it's worth naming plainly rather than glossing over, since most "how to build magic links" guides focus on the happy path and skip this.

The core risk

Anyone with access to the link gets access to the account, no password required. That includes anyone who can read the recipient's inbox: a shared family email account, an employer's email system if it's a work address, or anyone who gains access to the mailbox itself, including through means unrelated to your product entirely. This isn't a reason to avoid magic links, it's a reason to design the rest of the flow around that specific risk.

What actually mitigates it

  • Short expiry, minutes, not hours. A magic link that's valid for a day is a much bigger window of exposure than one valid for 10 minutes
  • Single use: invalidate the link the moment it's used, so a forwarded or intercepted link that's already been consumed can't be replayed
  • Bind the link to the session or device that requested it where practical, so a link generated on one device being opened on a different one is at least a signal worth flagging, even if you don't block it outright
  • Log magic-link authentication events distinctly from password logins, so unusual patterns (a link used from a very different location than where it was requested) are visible in your own monitoring

The email-forwarding problem specifically

Some email clients and corporate mail filters automatically preview or scan links in incoming email, including clicking them, before the actual recipient ever sees the message. If your magic link performs the login action on the mere HTTP GET request itself, an automated scanner can consume the link before your user does. The safer pattern: the link lands on a confirmation page requiring an explicit user action (a button click) before the actual authentication happens, so a passive scanner visiting the URL doesn't burn the single use.

Envello

EU-hosted transactional email, done right by default.