Passwordless email link opened twice for some users

For a small set of users, we are seeing a java process opening the link before the user clicks on it in the email:

  1. Code/Link Sent
  2. Success Login (user_agent: Apache-HttpClient/4.5.2 (Java/1.8.0_60))
  3. Failed login (user_agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7)

Our guess is the successful login is some kind of antivirus or similar.

First off, has anyone else seen this? We have only seen this for some people that use their work email but don’t yet know exactly what it is.

Second, is there a way for us to work around this?

So a few questions:

  1. Is there any commonality around mobile OS?
  2. Are they using / viewing the email in a mobile app and then checking on their laptops?

It could be related to an antivirus but not sure.


  1. No, We have seen both ios and windows
  2. They have tried multiple times, both on the phone and their computer

Our service is completely single page web app based.

The user base is not large enough to get any clear indication to the common factor for these few that can’t login.

The commonalities we have noted are:

  • They are using their work email
  • A java program (user agent Apache-HttpClient/4.5.2 (Java/1.8.0_60)) is opening the link before they click on it

This is what makes me think it’s something scanning their email.

Is there anyway to work around this issue? E.g. block the initial request based on user agent without expiring the link for the second request?

Hey there!

Sorry for such a delayed response! We’re doing our best in providing you with the best developer support experience out there but sometimes our bandwidth is just not enough for all the questions coming in. Sorry for the inconvenience!

Can you let us know if you still require further assistance from us?