1auth.
Home/Documentation/How to Add Magic Links to FastAPI
GuidesImplementation guide

How to Add Magic Links to FastAPI

Implement passwordless magic-link auth in FastAPI with secure callback handling, token expiry, and exchange-based session delivery.

Magic links are a common FastAPI auth requirement because they keep onboarding simple and work well for browser-based apps. The implementation detail that matters most is not the email template, but how the callback and token exchange are secured.

Open 1AuthBrowse docs hub

What you need before you start

The cleanest implementation path begins with explicit routing, callback, and ownership decisions.

  • Choose an email provider and define which app_id owns the flow.
  • Set clear redirect allowlists for every frontend callback that can receive the login handoff.
  • Decide how the browser will exchange the callback result for tokens without leaving credentials in the URL.

Implementation path

This is the shortest path from a blank auth service to a production-ready flow with isolation and recovery in place.

Create the request endpoint

Accept email and redirect URL, validate the redirect strictly, and issue a short-lived one-time token bound to the app.

Verify and exchange safely

Turn the clicked link into a secure server-side verification step and hand the browser an exchange code rather than final tokens in the query string.

Add resend and audit behavior

Handle expiry, replay, and support visibility so real users can recover when links expire or email delivery lags.

Avoid these mistakes

Most rework comes from taking shortcuts around token delivery, redirect matching, or app boundaries.

  • Do not store raw magic-link tokens if hashing them is enough for verification.
  • Do not use prefix-based redirect checks; exact or properly parsed allowlists matter.
  • Do not assume passwordless means low-risk. The callback is still an auth boundary.

FAQ

Questions teams ask before they ship

Why use an exchange code instead of returning JWTs directly from the email link?

It keeps access tokens out of browser history, logs, and copied URLs while still preserving a smooth user flow.

Can FastAPI handle magic-link auth cleanly?

Yes. The important part is designing the flow as a real authentication handoff with short-lived tokens and strict redirect validation.

Related Pages

Keep exploring the 1Auth docs cluster

Each page below connects to the same app-scoped auth model from a different buying or implementation angle.

Features
Magic Link Authentication Without Token Leakage

Ship passwordless email sign-in with short-lived tokens, secure callback handling, and app-scoped session exchange.

Developers
FastAPI Authentication API for Multi-App Products

Use a FastAPI-based authentication API with app-scoped routes, JWT issuance, passwordless flows, OAuth, and admin operations.

Security
Auth Backend Security Checklist

Review the critical controls for a production auth backend: app isolation, JWT validation, callbacks, rotation, recovery, and operational hardening.