We've updated our Terms of Service. By continuing to use our services, you agree to the updated Terms.

Redirect Allowlist

Redirect Allowlist

#Overview

In the process of authenticating a user, the redirectURI parameter is utilized as a callback URL and will redirect users once the authentication is complete. For Magic, this is only relevant when using magic links or an OAuth provider (such as Google) as your user’s authentication method. For magic links, when using the loginWithMagicLink feature, you have the option to include a redirectURI value. If you do not include a redirectURI, the user will be asked to go back to the original tab to complete the login process. It's recommended to use a redirectURI for a smoother user experience.

#Configuration

  1. Go to the settings page of your app in the developer dashboard
  2. Toggle on your ‘redirect allowlist’
  3. Add your redirects and save your changes

#Format

Several redirect formats are supported, generically it may look similar to the following:

  • <scheme> "://" <host> [ ":" <port> ] <path>

For a detailed view of the URI syntax format, refer to this diagram.

#Mobile Linking

Linking in mobile applications refers to the ability to navigate users to a specific location within an application by clicking on a link. There are two main methods of linking in mobile apps: Deep linking and Universal Links (App Links on Android). We recommend using Universal Links/App Links for increased security in lieu of Deep Links.

View our guide on mobile links in your Magic Application

Some examples:

Format Notes:

  • All paths have to be explicit, ie. https://example.link does not also whitelist https://example.link/path1
  • Query strings and hash information are not taken into account when validating these URLs
  • You can use wildcards at the subdomain level (e.g.: https://*.contoso.com)

#Programmatic Configuration

Alternatively, redirectURIs can be added to your applications allowlist using Curl. In order to interact with the email access control list for your application using Curl, you will need a Secret Key and Client ID.

To obtain the required information, follow the steps below:

  1. On the Dashboard landing page, right-click anywhere and select Inspect
  2. Navigate to the Network tab and look for info?magic_client_id=<CLIENT_ID>
  3. Navigate to the Response tab and extract live_secret_key as your Secret Key and magic_client_id as your Client ID

Provide the Secret Key and/or Client ID in your Curl commands, along with the chosen domains for the interaction:

Add
Remove
Retrieve
01curl --location --request POST 'https://api.magic.link/v2/api/magic_client/allowlist/add' \
02--header 'X-Magic-Secret-Key: sk_live_06FC010DA25ED4F2' \
03--header 'Content-Type: application/json' \
04--data-raw '{
05    "access_type": "redirect_url",
06    "target_client_id": "etjubJsY5Cvn6ukDzJYpd3MEAtgw45oetxxoX1PxvP4=",
07    "value": "https://magic.link"
08}'

#What happens if I don’t configure them?

If the redirects are not verified and whitelisted, there is a potential for attackers to drive users to malicious websites or phishing pages, and/or steal sensitive information such as login credentials. Due to this, the redirect allowlist is required and must be configured for your app. By whitelisting redirect URLs, application owners can ensure that users are only redirected to trusted and secure destinations.