class Stytch::MagicLinks
def authenticate(
If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `user_device` response field will contain information about the user's device attributes.
user_device::
The type of this field is nilable +Session+ (+object+).
See [Session object](https://stytch.com/docs/api/session-object) for complete response fields.
If you initiate a Session, by including `session_duration_minutes` in your authenticate call, you'll receive a full Session object in the response.
session::
The type of this field is +Integer+.
The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
status_code::
The type of this field is +Boolean+.
Indicates if all other of the User's Sessions need to be reset. You should check this field if you aren't using Stytch's Session product. If you are using Stytch's Session product, we revoke the User's other sessions for you.
reset_sessions::
The type of this field is +User+ (+object+).
The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details.
user::
The type of this field is +String+.
The JSON Web Token (JWT) for a given Stytch Session.
session_jwt::
The type of this field is +String+.
A secret token for a given Stytch Session.
session_token::
The type of this field is +String+.
The `email_id` or `phone_id` involved in the given authentication.
method_id::
The type of this field is +String+.
The unique ID of the affected User.
user_id::
The type of this field is +String+.
Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
request_id::
An object with the following fields:
== Returns:
The type of this field is nilable +String+.
If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature.
telemetry_id::
The type of this field is nilable +String+.
A base64url encoded one time secret used to validate that the request starts and ends on the same device.
code_verifier::
The type of this field is nilable +object+.
Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes.
Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value.
session_custom_claims::
The type of this field is nilable +String+.
The `session_jwt` associated with a User's existing Session.
session_jwt::
The type of this field is nilable +Integer+.
If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created.
If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes.
This value must be a minimum of 5 and a maximum of 527040 minutes (366 days).
five minutes regardless of the underlying session duration, and will need to be refreshed over time.
returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of
Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist,
session_duration_minutes::
The type of this field is nilable +String+.
The `session_token` associated with a User's existing Session.
session_token::
The type of this field is nilable +Options+ (+object+).
Specify optional security settings.
options::
The type of this field is nilable +Attributes+ (+object+).
Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application.
attributes::
The type of this field is +String+.
In the redirect URL, the `stytch_token_type` will be `magic_link`. See [here](https://stytch.com/docs/workspace-management/redirect-urls) for more detail.
The redirect URL will look like `https://example.com/authenticate?stytch_token_type=magic_links&token=rM_kw42CWBhsHLF62V75jELMbvJ87njMe3tFVj7Qupu7`
The Magic Link `token` from the `?token=` query parameter in the URL.
token::
== Parameters:
Authenticate a User given a Magic Link. This endpoint verifies that the Magic Link token is valid, hasn't expired or been previously used, and any optional security settings such as IP match or user agent match are satisfied.
def authenticate( token:, attributes: nil, options: nil, session_token: nil, session_duration_minutes: nil, session_jwt: nil, session_custom_claims: nil, code_verifier: nil, telemetry_id: nil ) headers = {} request = { token: token } request[:attributes] = attributes unless attributes.nil? request[:options] = options unless options.nil? request[:session_token] = session_token unless session_token.nil? request[:session_duration_minutes] = session_duration_minutes unless session_duration_minutes.nil? request[:session_jwt] = session_jwt unless session_jwt.nil? request[:session_custom_claims] = session_custom_claims unless session_custom_claims.nil? request[:code_verifier] = code_verifier unless code_verifier.nil? request[:telemetry_id] = telemetry_id unless telemetry_id.nil? post_request('/v1/magic_links/authenticate', request, headers) end
def create(
The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
status_code::
The type of this field is +String+.
The Magic Link `token` that you'll include in your contact method of choice, e.g. email or SMS.
token::
The type of this field is +String+.
The unique ID of the affected User.
user_id::
The type of this field is +String+.
Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
request_id::
An object with the following fields:
== Returns:
The type of this field is nilable +Attributes+ (+object+).
Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application.
attributes::
The type of this field is nilable +Integer+.
Set the expiration for the Magic Link `token` in minutes. By default, it expires in 1 hour. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins).
expiration_minutes::
The type of this field is +String+.
The unique ID of a specific User. You may use an `external_id` here if one is set for the user.
user_id::
== Parameters:
We also recommend checking out our [Trusted Auth Tokens](https://stytch.com/docs/consumer-auth/authentication/trusted-auth-tokens/overview) product, which is available in both our Consumer and B2B APIs and can be a better fit for some use cases.
* In some cases, email security bots may follow links within incoming emails before your users open them. This consumes the Embeddable Magic Link token, preventing the user from logging in when they later click the link. Our Email Magic Links product automatically prevents this (details [here](https://stytch.com/docs/consumer-auth/authentication/magic-links/redirect-routing)). However, when sending your own emails containing Embeddable Magic Links, you'll be responsible for detecting and stopping bot traffic using tools like CAPTCHA or [Device Fingerprinting](https://stytch.com/docs/fraud-risk/device-fingerprinting/overview).
* Deliverability is paramount. Carefully test your email copy to ensure it reaches your users' inboxes. Small changes can result in your emails being sent to spam.
When sending Embeddable Magic Links via email:
* Embeddable Magic Links are only available in our Consumer API, and not our B2B API.
* Authenticating an Embeddable Magic Link token will not mark any of a user's delivery factors (email address or phone number) as verified, since we cannot confirm how the token was sent to the user.
* Embeddable Magic Link tokens are **sensitive values**. You should handle and store them securely.
Carefully review the following notes before using Embeddable Magic Links:
### Important usage notes
Create an Embeddable Magic Link token for a User.
def create( user_id:, expiration_minutes: nil, attributes: nil ) headers = {} request = { user_id: user_id } request[:expiration_minutes] = expiration_minutes unless expiration_minutes.nil? request[:attributes] = attributes unless attributes.nil? post_request('/v1/magic_links', request, headers) end
def initialize(connection)
def initialize(connection) @connection = connection @email = Stytch::MagicLinks::Email.new(@connection) end