Definition
A magic link is an emailed, single-use URL that authenticates a user when clicked. The user enters their email address, the server generates a random token, stores its hash with a short expiry, and emails the raw token inside a sign-in URL. Clicking the link is proof that the user controls the inbox; the server verifies the token, creates a session, and burns the token so it can't be reused.
Magic links eliminate three classes of breach: no passwords means no password-leak incidents, no password-reuse vulnerabilities, and no phishing kits that steal credentials. The attack surface shrinks to email-account compromise - which is why 2FA on the user's email provider is the critical piece of defense-in-depth.
Typical TTL is 5-15 minutes. Tokens should be at least 128 bits of entropy, hashed at rest (sha256 is standard), and burned after first use.
How SheetLinkWP relates to Magic Link
SheetLinkWP's customer portal at sheetlinkwp.com/account/ is magic-link-only - there are no passwords on the system. Users enter the email they purchased under, and a 256-bit token is emailed with a 15-minute TTL and single-use semantics. The server stores only sha256(token); the raw value is only ever in the email. Clicking the link creates a 7-day HttpOnly session cookie and lands the user on the dashboard.
The portal also applies enumeration protection: whether or not a license exists for the submitted email, the response is always "check your inbox." An attacker probing for paying customers can't distinguish real accounts from nonexistent ones. Rate limits on both email and IP further slow brute-force attempts.