Skip to content
Documentation
Dashboard authentication
Magic link and MFA

Magic link and MFA

Email magic link

Typical flow:

  1. POST /api/auth/magic-link requests a one-time code or link.
  2. POST /api/auth/verify exchanges it for a session.
  3. GET /api/auth/status lets the SPA resume state.
  4. POST /api/auth/logout destroys the session (prefer POST-based logout flows).

Sessions use express-session with connect-pg-simple (server/middleware/session.ts).

MFA

TOTP lifecycle: server/api/auth/mfa/setup.post.ts, verify.post.ts, verify-setup.post.ts, plus backup-code handling where enabled.

Operational guardrails

Startup checks block dangerous combinations (e.g. logging OTP to stdout in production) inside server/plugins/init.ts.

Session inactivity interacts with MCP tool-session idle policies—tune the inactivity window in server configuration to match your security posture.

Other account APIs

GET /api/users/me/sessions surfaces active dashboard sessions for the signed-in user where implemented.