Qeet Docs
Authentication

Magic links

Passwordless sign-in via single-use, TTL-bound email links — enumeration-safe and replay-protected.

Magic links email a one-time URL that signs the user in when consumed. Qeet ID's magic links are single-use and TTL-bound, and starting one is enumeration-safe (no signal about whether the address exists).

Flow

The user enters their email; Qeet ID emails a link containing a single-use token.

POST/v1/auth/magic-link/startEmail a magic link
Bash
curl -X POST https://api.qeetid.com/v1/auth/magic-link/start \
  -H "Content-Type: application/json" \
  -d '{"email":"alex@acme.com"}'

Consume the token

Your landing page extracts the token from the URL and posts it back. On success, Qeet ID returns a token pair.

POST/v1/auth/magic-link/consumeConsume → token pair

Security properties

  • Single-use. Consuming the token invalidates it.
  • Short-lived. Tokens expire after a TTL.
  • Enumeration-safe. Starting a link doesn't reveal whether the account exists.
  • Rate-limited. Per IP, email, and tenant (see Rate limits).

Deliverability

Magic links depend on email delivery. Configure a sending domain with SPF/DKIM/DMARC for production. Templates are customizable per tenant under Branding & email templates.

Passkeys / WebAuthn

Phishing-resistant passwordless sign-in with WebAuthn passkeys — registration, login, and credential management.

Social login

Per-tenant social/OIDC providers with JIT provisioning and account linking via external identities.

On this page

FlowStart a magic linkConsume the tokenSecurity properties