Why am I seeing allow_magiclink _verify_without_session:true when exporting configs?

Problem statement

Why are we seeing the feature flag allow_magiclink_verify_without_session set to true when exporting our tenant configuration? We weren’t aware of the existence of this flag neither we have enabled it.

Cause

Generally speaking, feature flags are used to hide new features or changes behind an optional flag to help prevent breaking changes and allow customers to opt-in to new features or migrations as they see fit.

The allow_magiclink_verify_without_session flag was added when a new default behavior was introduced recently, to ensure that breaking changes were not caused for customers utilizing that specific flow, i.e. passwordless email connections using magic links.

The new default behavior that was introduced for increased security is the following: when using a passwordless email connection with magic links, the user can now only open the link from the same browser that started the flow.

Solution

That is normal and is not an issue.