Hi everyone,
I’m setting up a passwordless email magic link flow in Auth0 for a mobile streaming app to simplify sign-ups. It works fine overall, but I’m facing a few issues:
The link expiry seems too short for some users — what’s a secure yet user-friendly duration?
How can I enforce one-time use so the link can’t be reused?
Any best practices for keeping users logged in (device session persistence) after the first successful login?
Would love to hear how others have implemented this in mobile apps using Auth0.
Thanks! try searching for your answer.
Hi @edward.whitemore.uk,
Welcome to the Auth0 Community!
Here’s a breakdown of how to approach each of your points.
-
“The link expiry seems too short for some users — what’s a secure yet user-friendly duration?”
- A short lifetime (such as the 10min default) is more secure, as it reduces the window for an attacker to intercept and use the link. For mobile users who might be slow to switch apps and check their email, this can be frustrating. A duration of 15-20 minutes is often a reasonable compromise, but you’ll need to balance this for your specific user base.
-
“How can I enforce one-time use so the link can’t be reused?”
- Auth0 magic links are one-time use by default. Once a user clicks the link and successfully authenticates, that link is invalidated and cannot be used again. Furthermore, if a user requests a new link, the previously issued link is also invalidated. You do not need to do any extra configuration to enable this; it’s a core part of the security model.
-
“Any best practices for keeping users logged in (device session persistence) after the first successful login?”
- The best practice for native mobile apps is to use Refresh Tokens. A “session” in a mobile app is managed by the app, which securely stores a refresh token and uses it to obtain new access tokens. For more information, refer to the following documentation:
If you have any further questions, please don’t hesitate to reach out.
Have a good one,
Vlad