Magic Link Authentication
Magic Auth lets your users sign in without a password. When enabled, Seal sends a 6-digit verification code to the user’s email address. The user enters the code in the hosted login UI to complete authentication. No code changes are required in your application — Magic Auth works through the same OAuth 2.0 flow described in the Quick Start guide.
How it works
Section titled “How it works”The Magic Auth flow adds an email verification step to the standard OAuth 2.0 authorization code flow:
- Your application redirects the user to Seal’s hosted login page
- The user enters their email address and selects Magic Auth
- Seal sends a 6-digit verification code to the user’s email
- The user enters the code in the hosted login UI
- Seal redirects back to your application with an authorization code
- Your backend exchanges the code for tokens, as in the standard flow
Magic Auth supports both sign-in and sign-up. New users who authenticate with a verification code are automatically registered.
Enable Magic Auth
Section titled “Enable Magic Auth”-
In the Seal portal, navigate to Authentication → Methods.
-
Find Magic Auth under the Alternative Methods section.
-
Toggle the switch to enable it.
Changes take effect immediately for new login flows.
Security features
Section titled “Security features”Magic Auth includes several built-in security measures. These protections apply automatically and require no additional configuration.
Code expiration
Section titled “Code expiration”Verification codes expire after 10 minutes. Expired codes cannot be used to authenticate, even if they have not been entered yet.
One-time use
Section titled “One-time use”Each verification code can be used exactly once. After a successful authentication, the code is immediately invalidated. Replaying a previously used code fails.
Code invalidation on resend
Section titled “Code invalidation on resend”When a user requests a new verification code, all previously issued codes for that user are invalidated. Only the most recently sent code is valid at any time. This prevents confusion from multiple outstanding codes and limits the window of exposure if an earlier email is intercepted.
Rate limiting
Section titled “Rate limiting”Seal applies rate limits to both code verification attempts and code generation requests. A 3-minute deduplication window prevents the same email address from triggering multiple code emails in rapid succession. These limits protect against brute-force attacks and email flooding.
Next steps
Section titled “Next steps”- Social Login — let users sign in with Google or Microsoft
- Set up organizations — group users by customer with domain routing
- Explore the API reference — manage users, organizations, and sessions programmatically