Also known as: email OTP, passwordless email login, magic email link
Definition
A magic link is a one-time email token that exchanges for a Supabase session when clicked. Magic links are single-use, rate-limited (default one per 60 seconds per user), expire after one hour, and use the PKCE flow when configured with token-hash email templates.
A magic link is a passwordless authentication method. The user submits their email, Supabase emails a link containing a one-time token, the user clicks it, and a server-side route exchanges the token for a session. No password is ever stored or transmitted.
The token is single-use by default: once exchanged, it's invalidated server-side. Even if the email leaks through forwarded inbox archives or compromised browser extensions, the window of abuse closes the moment the legitimate user clicks the link. The default rate limit (one request per 60 seconds per user) blocks email-flooding attacks.
A server-side Route Handler at /auth/confirm that reads the token_hash and type parameters from the URL, calls supabase.auth.verifyOtp({ type: 'magiclink', token_hash }), and on success redirects to a validated next path. Never call verifyOtp from a Client Component, which bypasses the server-side cookie write and exposes the token to inline scripts.