Magic Links
With Magic Links customers can seamlessly sign into your customer portal from your app or website.
Magic Links are a secure passwordless authentication mechanism that lets you securely generate URLs to sign customers into your customer portal. This is perfect for redirecting users already authenticated within your app or service into your customer portal without the need for them to sign in once more.
- Obtain your Magic Link key from the dashboard: You can grab the secret key for generating Magic Links for your account in Settings → Developers → Magic Links within the dashboard. WARNING: Keep your Magic Link key secret! It should only be used on servers under your control and never exposed in client-side code.
- Generate a sign in token: Using your Magic Link key you can generate JWT tokens from your backend that tell us which customer to sign in.
- Build the URL: Now you can plug your freshly generated token into a sign in URL (replace yourcompany with your Invoiced username): https://{yourcompany}.invoiced.com/login/{generated_token} You can now link your freshly generated URL from your website or else redirect users here.
If you are using a language not supported with an official Invoiced client library then you can still generate Magic Links. The steps to generate a JWT token will vary by language, however, there are many open source libraries that make it a simple process.
Any JWT tokens you generate should be signed using the HS256 algorithm with your Magic Link key. The token should have the following parameters for the header:
And the following parameters for the payload:
- The sub parameter should be the ID of the customer on Invoiced you are signing the user in as.
- The iss parameter should be a string to identify the service that generated the token (any value works here).
- The exp parameter should be a UNIX timestamp to indicate when the URL should expire.
This will generate a token similar to this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiaXNzIjoiUnVieSBCYWNrZW5kIiwiZXhwIjoxNDU1NTY0OTQ4fQ.LXu-zcMTF8ikMSRrSVYnP0szyRZuqQOAorHAsDrfwPs
We recommend taking a look at jwt.io to verify that tokens you generate are valid and to find client libraries in your language.
Here is an example showing how to generate a Magic Link in Ruby with the jwt gem (as opposed to using the invoiced-ruby library):