Appearance
Magic Links
MicroTalks uses magic links for authentication — no passwords needed. Here's how they work and why they're secure.
How Magic Links Work
- You enter your email address on the sign-in page.
- MicroTalks generates a unique, cryptographically secure token.
- An email is sent to your address with a link containing that token.
- You click the link, and MicroTalks verifies the token and signs you in.
That's it — no password to create, remember, or reset.
Security Model
Magic links are designed to be secure:
| Property | Detail |
|---|---|
| Token generation | 32-byte URL-safe token via secrets.token_urlsafe |
| Expiry | 15 minutes from creation |
| One-time use | Each token can only be used once |
| No enumeration | The sign-in page doesn't reveal whether an email exists |
| Rate limiting | Max 5 magic link requests per minute per IP address |
Why No Passwords?
| Passwords | Magic Links |
|---|---|
| Can be weak or reused | Token is cryptographically random |
| Vulnerable to brute force | Tokens expire in 15 minutes |
| Require secure storage (hashing) | No password database to breach |
| Users forget them | Nothing to remember |
| Phishing targets | Link is unique and one-time |
Token Lifecycle
Request → Token created (15-min expiry)
→ Email sent with verify link
→ User clicks link
→ Token validated & marked as used
→ Session created → User signed inIf the token is expired or already used, the user sees an error and can request a new one.
First-Time Users
If you sign in with an email that doesn't have an account yet, MicroTalks automatically creates one. There's no separate registration step — just enter your email and click the link.
Your browser timezone is captured on sign-in so session times can be displayed in your local time.
Session Persistence
After signing in, your session is maintained via a secure cookie. You stay signed in until you explicitly log out or the session expires.
Frequently Asked Questions
My magic link expired. What do I do?
Just go back to the sign-in page and request a new one. Links expire after 15 minutes for security.
Can I use the same link twice?
No. Each magic link can only be used once. After clicking it, the token is marked as used. Request a new link if needed.
I didn't request a magic link but received one. Should I worry?
Someone may have entered your email by mistake. The link is harmless if you don't click it — it will expire in 15 minutes. If you're concerned, you can safely ignore it.