Magic-link authentication
Booking SaaS uses email magic links rather than passwords.
Create an account
bash
curl -X POST "$BOOKING_URL/api/auth/signup" \
-H "Content-Type: application/json" \
-d '{
"accountName": "Harbour Yoga",
"email": "owner@example.com",
"displayName": "Studio Owner"
}'The email adapter receives a single-use link valid for 15 minutes. Only demo mode returns its token in the response.
Request a new link
bash
curl -X POST "$BOOKING_URL/api/auth/magic-links" \
-H "Content-Type: application/json" \
-d '{"email":"owner@example.com"}'Consume the link
bash
curl -X POST "$BOOKING_URL/api/auth/magic-links/consume" \
-H "Content-Type: application/json" \
-d '{"token":"TOKEN_FROM_EMAIL"}'Store session.id as a secret bearer credential. Sessions currently expire after 30 days. Log out by posting to /api/auth/logout with the bearer header; clients must then remove their local copy.
Do not log magic-link tokens, URLs, bearer sessions, or authorization headers.