Magic-link login — when to use it

Magic-link login signs you in by clicking a one-time link sent to your registered email — no password required.

Why use magic-link

• Shared device — no chance of saving the password into someone else's browser.
• Forgot the password — quicker than the full reset flow.
• Phone keyboard — typing a 12-character password is unpleasant.

How it works

1. /auth/login → "Send me a magic link".
2. The link arrives in 30–60 seconds. Valid for 15 minutes; one-time use.
3. Click it from the same browser you started in (this prevents session hijacking).
4. You're signed in.

When NOT to use magic-link

• If your email is compromised. Anyone with access to your inbox can request the link and sign in. Lock down the email first.
• If the device is shared and the link is opened in a different browser, the magic link won't work — you'll need to start the request again.

Setting it as your default

You can disable password login entirely from /profile/security. We don't recommend this for daily users — magic-link relies on email being available, which isn't always the case.