Skip to content

Magic-link authentication

Booking SaaS uses email magic links rather than passwords.

Create an account

bash
curl -X POST "$BOOKING_URL/api/auth/signup" \
  -H "Content-Type: application/json" \
  -d '{
    "accountName": "Harbour Yoga",
    "email": "owner@example.com",
    "displayName": "Studio Owner"
  }'

The email adapter receives a single-use link valid for 15 minutes. Only demo mode returns its token in the response.

bash
curl -X POST "$BOOKING_URL/api/auth/magic-links" \
  -H "Content-Type: application/json" \
  -d '{"email":"owner@example.com"}'
bash
curl -X POST "$BOOKING_URL/api/auth/magic-links/consume" \
  -H "Content-Type: application/json" \
  -d '{"token":"TOKEN_FROM_EMAIL"}'

Store session.id as a secret bearer credential. Sessions currently expire after 30 days. Log out by posting to /api/auth/logout with the bearer header; clients must then remove their local copy.

Do not log magic-link tokens, URLs, bearer sessions, or authorization headers.

Booking SaaS implementation documentation