Enchanted Link via Backend SDKs
This guide is meant for developers that are NOT using Descope on the frontend to design login screens and authentication methods.
If you'd like to use Descope Flows, Quick Start should be your starting point. If you'd like to use our Client SDKs, refer to our Client SDK docs.
An enchanted link is a single-use link sent to the user for authentication (sign-up or sign-in) that validates their identity. The Descope service sends enchanted links via email.
Enchanted links are an enhanced version of magic links. Enchanted links enable users to start the login process on one device (the originating device) while clicking the enchanted link on a different device. When the user clicks the correct link, their session on the originating device is validated, and they are logged in. A special security feature of enchanted link is that the end-user needs to pick the correct link from the three links delivered to them.
Note
Enchanted links are user friendly since the user does not have to switch tabs or applications to log in. The browser tab they initiated login from is the only tab they need to use.
Use Cases
- New user signup: The following actions must be completed, first User Sign-Up, then within the same route begin Polling for a valid session, and when the enchanted link is clicked User Verification
- Existing user signin: The following actions must be completed, first User Sign-In, then within the same route begin Polling for a valid session, and when the enchanted link is clicked User Verification
- Sign-Up or Sign-In (Signs up a new user or signs in an existing user): The following actions must be completed, first User Sign-Up or Sign-In, then within the same route begin Polling for a valid session, and when the enchanted link is clicked User Verification
Backend SDK
Install SDK
Import and initialize SDK
User Sign-Up
To register a new user, you can use the SignUp
function. In the example below, an Enchanted Link is sent to email@company.com.
The SignUp call returns two important values:
- pendingRef — used by your application to poll the verification status on the originating device.
- linkId — should be shown to the user in your application so they can identify and click the correct link in the email they receive.
Make sure your application uses the pendingRef to check when the user has successfully verified their sign-up.
Also note that signup is not complete without the user verification step below.
User Sign-In
To login an existing user, you can use the SignIn
function. In this example, an Enchanted Link is sent to email@company.com. The signIn call returns two key values:
- pendingRef — used by your application to poll the verification status on the originating device.
- linkId — should be displayed to the user so they can identify and click the correct link in the email they receive.
Your application should then use the pendingRef to monitor when the user completes verification.
Also note that signin is not complete without the user verification step below.
User Sign-Up or Sign-In
To sign up a new user or sign in an existing user, you can use the signUpOrIn
function. In the example below, an Enchanted Link is sent to email@company.com.
The signUpOrIn call returns two important values:
- pendingRef — used by your application to poll the verification status on the originating device.
- linkId — should be shown to the user in your application so they can identify and click the correct link in the email they receive.
Make sure your application uses the pendingRef to check when the user has successfully verified their sign-in or sign-up.
Note that signUpOrIn is not complete without the user verification step below.
User Verification
Call the verify
function from your verify url. This means that this function needs to be called when the user
clicks the enchanted link. If the token is valid, the user will be authenticated and session returned to the polling thread (see next step).
Polling for valid session
On the route where you initialized the signIn, signUp, or signUpOrIn, you need to repeatedly poll for a valid session.
get_session(token)
is called repeatedly until the user clicks the enchanted link URL they received, so that the
session on the initiating device can be directed to your desired page.
Update Email
This function allows you to update the user's email address via email. This requires a valid refresh token. Once the user has received the enchanted link, you will need to host a page to verify the enchanted link token using the enchanted link Verify Function.
Session Validation
The final step of completing the authentication with Descope is to validate the user session. Descope provides rich session management capabilities, including configurable session timeouts and logout functions. You can find the details and sample code for backend session validation here.
Checkpoint
Your application is now integrated with Descope. Please test with sign-up or sign-in use case.