Magic Links
Session uses magic links for authentication instead of passwords. Here's how they work.
What Are Magic Links?
A magic link is a special URL sent to your email that signs you in automatically. Instead of remembering a password, you just:
- Enter your email
- Click the link in your email
- You're signed in
How It Works
- Request - You enter your email on the sign-in page
- Send - Session sends an email with a unique, time-limited link
- Verify - Clicking the link proves you own that email address
- Session - A secure session is created in your browser
Security
Magic links are secure because:
- Unique - Each link is a one-time use token
- Time-limited - Links expire after 15 minutes
- Email-verified - Only someone with access to your email can use the link
- No passwords to steal - There's nothing to phish or leak
Common Questions
How long do magic links last?
Links expire after 15 minutes. If yours has expired, request a new one.
Can I reuse a magic link?
No, each link works only once. After you click it, you'll need a new link to sign in again.
Why didn't I receive my magic link?
- Check your spam/junk folder
- Make sure you entered the correct email
- Wait a minute and try again
- Add noreply@joinsession.io to your contacts
Can I stay signed in?
Yes. Once you click a magic link, you stay signed in until you:
- Sign out manually
- Clear your browser data
- Don't visit for an extended period
What if someone intercepts my magic link?
Magic links expire quickly and work only once. If someone intercepts it:
- They'd need access in 15 minutes
- Once used, it can't be used again
- You'd know if someone else used it (you wouldn't be signed in)
Why Not Passwords?
Magic links eliminate common password problems:
| Passwords | Magic Links |
|---|---|
| Can be weak or reused | Unique every time |
| Can be phished | Sent directly to your email |
| Need to be remembered | Nothing to remember |
| Can be leaked in breaches | No database of credentials |
For Coaches
As a coach, your members sign in the same way. Benefits:
- No password reset support requests
- No compromised credential risks
- Simpler onboarding for new members
- Works across all devices
Technical Details
For those interested:
- Links use cryptographically secure random tokens
- Tokens are hashed before storage
- Each token is single-use and time-limited
- Sessions use secure, HTTP-only cookies