Magic Link

Passwordless authentication via email magic links.

Magic Link Authentication

Passwordless authentication that sends a one-time login link to the user's email address. The user clicks the link to authenticate without entering a password.

Request Magic Link

POST/api/v1/auth/magic-link/request

Send a magic link email to the specified address. The link contains a one-time token that can be exchanged for JWT tokens.

Authentication:No Auth Required

Request Parameters

ParameterTypeRequiredDescription
emailstring RequiredThe email address to send the magic link to.
sourcestringOptionalWhere the magic link was requested from. One of: mobile, web. Affects the format of the generated link.
allow_registrationbooleanOptionalIf true, a new account is created when no account exists for this email. Defaults to false.
referral_codestringOptionalReferral code from an existing user. Only used when allow_registration is true and a new account is created.
terms_acceptedbooleanOptionalWhether the user has accepted the terms of service. Required when allow_registration is true.

Code Examples 

curl -X POST https://api.orbai.world/api/v1/auth/magic-link/request \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@example.com",
    "source": "web",
    "allow_registration": true,
    "terms_accepted": true
  }'

Responses

200Magic link email sent successfully.
{
  "success": true,
  "data": {
    "email": "user@example.com",
    "expires_at": "2026-02-08T13:15:00Z",
    "is_new_user": false,
    "expires_in_minutes": 15
  }
}
404No account exists for this email and allow_registration is false.
{
  "success": false,
  "error": {
    "code": "USER_NOT_FOUND",
    "message": "No account found for this email address."
  }
}
429Too many magic link requests. Rate limited.
{
  "success": false,
  "error": {
    "code": "RATE_LIMITED",
    "message": "Too many magic link requests. Please wait before trying again.",
    "retry_after": 60
  }
}

Verify Magic Link

POST/api/v1/auth/magic-link/verify

Exchange the magic link token for JWT access and refresh tokens. The token is single-use and expires after the time indicated in the request response.

Authentication:No Auth Required

Request Parameters

ParameterTypeRequiredDescription
tokenstring RequiredThe one-time token from the magic link URL.
device_idstringOptionalUnique device identifier (UUID recommended).
platformstringOptionalClient platform. One of: ios, android, windows, macos, linux, web.
device_namestringOptionalHuman-readable device name.
fcm_tokenstringOptionalFirebase Cloud Messaging token for push notifications.

Code Examples 

curl -X POST https://api.orbai.world/api/v1/auth/magic-link/verify \
  -H "Content-Type: application/json" \
  -d '{
    "token": "mlk_a1b2c3d4e5f6...",
    "device_id": "550e8400-e29b-41d4-a716-446655440000",
    "platform": "web",
    "device_name": "Chrome on MacBook"
  }'

Responses

200Token verified successfully. Returns the standard AuthResponse with user profile, JWT tokens, and subscription.
{
  "success": true,
  "data": {
    "user": {
      "id": 1,
      "uuid": "usr_abc123",
      "username": "john_doe",
      "email": "user@example.com",
      "role": "USER",
      "active": true
    },
    "tokens": {
      "access_token": "eyJhbGciOiJIUzI1NiIs...",
      "refresh_token": "dGhpcyBpcyBhIHJlZnJlc2...",
      "access_token_expires_at": "2026-02-09T12:00:00Z",
      "refresh_token_expires_at": "2026-03-08T12:00:00Z",
      "token_type": "Bearer"
    },
    "subscription": {
      "plan_name": "Premium",
      "status": "active",
      "expires_at": "2026-12-31T23:59:59Z"
    },
    "requires_2fa": false
  }
}
401The magic link token is invalid, expired, or has already been used.
{
  "success": false,
  "error": {
    "code": "INVALID_MAGIC_LINK",
    "message": "This magic link is invalid or has expired. Please request a new one."
  }
}

Flow Overview

1

Request magic link

Your client calls POST /api/v1/auth/magic-link/request with the user's email. The API sends a magic link to their inbox.

2

User clicks the link

The user opens their email and clicks the magic link. The link redirects to your application with a token parameter in the URL.

3

Verify the token

Your client extracts the token from the URL and calls POST /api/v1/auth/magic-link/verify to exchange it for JWT tokens.

4

User is authenticated

On success, you receive the standard AuthResponse with access and refresh tokens. Store them securely and proceed with the authenticated session.

Token Expiration

Magic link tokens expire after 15 minutes and can only be used once. If the token has expired, the user must request a new magic link.

Mobile Deep Links

When source is set to mobile, the magic link uses a deep link URL scheme that opens directly in the mobile app. For web, a standard HTTPS link is used.

Related Endpoints

  • Login -- Email/password authentication
  • Register -- Create account with password
  • OAuth Login -- Social provider authentication

OAuth Social Login

Previous Page

Two-Factor Authentication

Next Page

On this page

Magic Link Authentication
Request Magic Link
Request Parameters
Code Examples
Responses
Verify Magic Link
Request Parameters
Code Examples
Responses
Flow Overview
Related Endpoints