Skip the password. Users enter their email, click the link Quackback sends them, and they're in. No password to remember, no reset flows.

Magic link replaces the older 6-digit email code (email OTP). Workspaces that had email OTP enabled were moved to magic link automatically on upgrade. Magic link is off by default for portal users and on by default for team members.

How it works

The user enters their email on the sign-in page.
Quackback emails them a one-click sign-in link (valid for 10 minutes).
They click the link and a session is created.

The same link is used for team invitations and recovery-code sign-in, so those flows keep working even when magic link is turned off on the sign-in form.

Turn it on

Magic link is configured separately for each audience.

Portal users

Go to Admin → Settings → Security, then the Portal tab.
Toggle Magic link on.

Team members

Go to Admin → Settings → Security, then the Team tab.
Toggle Magic link on or off under Sign-in methods.

For team members the toggle only controls whether magic link appears on the sign-in form. Invitations and recovery-code sign-in always send a link regardless of the toggle.

Email delivery

Magic link needs a way to send email. Without one, the link is logged to the server console (useful in development only).

Configure SMTP or Resend with the EMAIL_* environment variables — see Email delivery for provider setup.

Don't require SSO enforcement or rely on magic link in production until email delivery is working. If links can't be sent, affected users can't sign in.

Magic-link requests are rate-limited per IP and email address, and Quackback emails the account owner when a sign-in happens from a new device. Team admins can turn the new-device email off under Admin → Settings → Security → Team.

Next steps

OAuth providers — social login with GitHub, Google, and more
Set up custom OIDC — enterprise single sign-on
Authentication overview — all sign-in options