Passwordless Auth

Magic Links

Offer a frictionless sign-in experience while keeping security controls in the hands of your super admin. This guide covers the feature switches, profile controls, API endpoints, and client hook provided in AuthCore 2.8.10.

System Flow

Super admin sets platform policiesFrom the Admin Console or configure(), the super admin enables magic links, email verification, and multi-factor policies for every tenant.Protect the route with SUPER_ADMIN checks and surface toggles from AdminSettings so the platform owns the baseline.
Tenant enables allowed featuresTenant administrators inherit the defaults and opt into magic links, email verification, and 2FA per organization. Locked switches mirror global restrictions.SecuritySettings handles the UI. Persist the decision alongside tenant metadata so adapters can read it per request.
User chooses profile preferenceWhen policy allows, users turn on passwordless in their security tab. AuthCore stores their choice with device and 2FA metadata.Expose a translation-ready toggle inside ProfileSecurityCard so every locale gets accurate copy.
Auth pipeline enforces enabled featuresDuring login, AuthCore checks tenant and user flags to decide if email verification, magic link, 2FA, or restore prompts are required.If 2FA is active the verify endpoint returns a challenge state and the client renders the two-factor form automatically.
Magic link email and verificationThe user posts to /api/auth/magic-link. AuthCore issues a signed token, sends the email, and finalizes sign-in through /api/auth/verify with the enforced checks above.Use useMagicLink on the client to monitor status, surface resend messaging, and translate errors with auth.magicLinkFailed.

Enable the feature (Super Admin)

Magic links, email verification, and 2FA are controlled centrally. Seed a super admin with npm run seed:admin, create a dedicated route (for example /admin/login) that renders <AuthForm mode="login" superAdminOnly /> or your own guarded component, and surface the toggle panel from <AdminSettings />.

Behind the scenes, the toggles call configure() and persist feature flags in the AuthCore metadata tables. You can also set them programmatically:

pages/api/admin/features.ts

Tenant-level policies

Organization owners can only enable options that the super admin approved. Inside the dashboard, the SecuritySettings component exposes switches for magic links, verification, and 2FA. Persist the selection to your tenant table and pass it into AuthCore during session creation:

pages/api/tenants/[tenantId]/security.ts

Let users toggle magic links from their profile

Once both the super admin and the tenant allow passwordless auth, surface a preference inside the profile security tab. This keeps the UX discoverable while respecting platform-wide guard rails.

components/ProfileMagicLinkToggle.tsx

Suggested translation keys: profile.security.magicLinkTitle, profile.security.magicLinkDescription, profile.security.magicLinkEnable, profile.security.magicLinkDisable, profile.security.magicLinkStatusOn, profile.security.magicLinkStatusOff.

Request & verify the link

AuthCore ships REST helpers so you do not have to wire tokens manually. The generated CLI templates include the endpoints below. They honour both the global and tenant flags before issuing an email.

pages/api/auth/magic-link.ts
pages/api/auth/verify.ts

On the client, use the useMagicLink hook. It exposes status, error, and sendMagicLink. The hook automatically polls verification status when the user clicks the emailed link.

components/MagicLinkForm.tsx

Translations

New copy strings for the magic link flow live in locales/en.json and locales/fr.json. Override them with registerDictionary() to support additional languages.