@radzor/magic-link-auth

Passwordless authentication via email magic links. Generates signed tokens, sends links via email, and verifies them on callback. Zero-dependency token management with configurable TTL and single-use enforcement.

Authenticationv0.1.0typescriptpythonServermagic-linkpasswordlessauthemailtokensecurityby Radzor

Install

View source on GitHub →

$npx radzor@latest add magic-link-auth

⚠ Constraints: generateLink() only creates the URL — you must send it via @radzor/email-send or similar. Tokens are stored in-memory by default; restart clears all pending tokens. For multi-instance deployments, use an external store.

Inputs

Name	Type	Default	Description
secret*	string	—	Secret key used to sign and verify magic link tokens (HMAC-SHA256).MAGIC_LINK_SECRET
tokenTtl	number	900	Token expiry in seconds (default: 15 minutes).
baseUrl*	string	—	Base URL for magic link callback (e.g. https://app.example.com/auth/verify).
singleUse	boolean	true	Invalidate token after first successful verification.

secret*string

Secret key used to sign and verify magic link tokens (HMAC-SHA256).

MAGIC_LINK_SECRET

{ "llm": { "constraints": "generateLink() only creates the URL — you must send it via @radzor/email-send or similar. Tokens are stored in-memory by default; restart clears all pending tokens. For multi-instance deployments, use an external store.", "usageExamples": "llm/examples.md", "integrationPrompt": "llm/integration.md" }, "name": "@radzor/magic-link-auth", "tags": [ "magic-link", "passwordless", "auth", "email", "token", "security" ], "events": [ { "name": "onLinkSent", "payload": { "email": "string", "expiresAt": "number" }, "description": "Fired when a magic link is generated and ready to send." }, { "name": "onVerified", "payload": { "email": "string", "tokenId": "string" }, "description": "Fired when a magic link token is successfully verified." }, { "name": "onExpired", "payload": { "email": "string" }, "description": "Fired when a token is used after its TTL has elapsed." }, { "name": "onError", "payload": { "code": "string", "message": "string" }, "description": "Fired on token generation or verification error." } ], "inputs": [ { "name": "secret", "type": "string", "envVar": "MAGIC_LINK_SECRET", "required": true, "description": "Secret key used to sign and verify magic link tokens (HMAC-SHA256)." }, { "name": "tokenTtl", "type": "number", "default": 900, "required": false, "description": "Token expiry in seconds (default: 15 minutes)." }, { "name": "baseUrl", "type": "string", "required": true, "description": "Base URL for magic link callback (e.g. https://app.example.com/auth/verify)." }, { "name": "singleUse", "type": "boolean", "default": true, "required": false, "description": "Invalidate token after first successful verification." } ], "radzor": "1.0.0", "actions": [ { "name": "generateLink", "params": [ { "name": "email", "type": "string", "description": "Email address to authenticate." } ], "returns": "Promise<{ url: string; token: string; expiresAt: number }>", "description": "Generate a signed magic link URL for the given email. Send this URL to the user via email." }, { "name": "verifyToken", "params": [ { "name": "token", "type": "string", "description": "Token extracted from the magic link callback URL." } ], "returns": "Promise<{ email: string; valid: boolean }>", "description": "Verify a magic link token. Returns the email if valid, throws if expired or already used." }, { "name": "revokeToken", "params": [ { "name": "token", "type": "string", "description": "Token to invalidate." } ], "returns": "Promise<void>", "description": "Manually invalidate a token before it expires." } ], "outputs": [ { "name": "verifiedEmail", "type": "string", "description": "Email address of the successfully authenticated user." }, { "name": "tokenMeta", "type": "{ email: string; expiresAt: number; used: boolean }", "description": "Token metadata including email, expiry, and usage status." } ], "runtime": "server", "version": "0.1.0", "category": "auth", "languages": [ "typescript", "python" ], "description": "Passwordless authentication via email magic links. Generates signed tokens, sends links via email, and verifies them on callback. Zero-dependency token management with configurable TTL and single-use enforcement.", "dependencies": { "packages": {} }, "composability": { "connectsTo": [ { "output": "verifiedEmail", "compatibleWith": [ "@radzor/session-manager.action.create.data" ] }, { "output": "tokenMeta", "compatibleWith": [ "@radzor/email-send.action.send.message" ] } ] } }

@radzor/magic-link-auth

Install

Inputs

Outputs

Actions

Events

Composability

radzor.manifest.json

Version History

Name	Type	Description
verifiedEmail	string	Email address of the successfully authenticated user.
tokenMeta	{ email: string; expiresAt: number; used: boolean }	Token metadata including email, expiry, and usage status.