Checking for Email Scanners

When using magic links, email services like Outlook's "Safe Links" may click links to check for malicious content, potentially invalidating the one-time authentication. The isEmailScanner condition allows detecting such scanners and adding a screen to prevent token invalidation.

Example in a flow

When a user initiates magic link authentication, any detected email scanner that clicks the link will be redirected to a screen with a button. This prevents the magic link from being invalidated, as scanners typically do not interact with buttons on web pages. If no scanner is detected, the token will be automatically verified.

To see an example flow with isEmailScanner you can use the Enterprise B2B Magic Link template.

Email Scanner example in a flow

Email Scanner condition

Enable "Custom Token Verification", this setting is required for the flow to delay token validation until it confirms the request is not coming from a bot or email scanner.

Custom Token Verification

The extra screen can be anything as long as it has one button which continues on to the verification process. Here is an example of an extra screen: Email Scanner extra screen

This flow example routes the users/scanners to extra screen only when an email scanner is detected, otherwise the majority of users have no change to their user experience.

Optional: Enable "Delete Token After Verification" in the Verify Token action. This ensures that the token is invalidated once the flow completes, which helps prevent issues in cases where users may accidentally click the magic link multiple times.

Delete Token at the end of the flow

Was this helpful?

On this page