Embedded Link

An embedded link generates a single-use token for authenticating an existing user. Once generated, the embedded link token can be sent to a user via various use cases such as email, SMS, etc, or you can use it manually similarly to a machine-to-machine implementation. Embedded link tokens are verified using the magic link verification function.

Embedded Links via SDK

When sending to a user, you can append the token to a URI, which captures the token query parameter and uses the Magic Link verification function to authenticate the user. An example of the URL given to the user would be https://company.com/verify?t=token, then within the page, you would capture the token and verify using the client SDK or you can utilize a flow which captures the embedded link similarly to the Magic Link Invite.

When using a machine-to-machine use case, you would utilize the backend Magic Link verification function to authenticate the user.

Embedded Links via Flows

You can utilize Embedded Link actions within flows by going to the flow builder, selecting the flow you want to add embedded link auth to, and clicking the blue + at the top left and searching for the embedded link.

You can then utilize a customized messaging connector or other method to send the embedded link to a user. When the user clicks the link, they will start the Descope flow from the action where the link was generated. If the link is still valid, they will be authenticated and continue the flow from that task forward.

For a use case example, see our knowledge base article on embedded links in flows.

Settings Summary

All Settings

Variables are displayed below and in the console as {{variable_name}}.

Expiration Time

For increased security, we recommend an expiration time of 3-5 minutes. A shorter expiration time limits how long a malicious actor has to attempt an attack (such as a dictionary or brute force attack) on the code or link.