SKILL-050 Authentication and account lifecycle Locked skill

Magic links / OTP

Store only a hash of the token, make it single-use and short-lived, and never leak whether an email exists.

What this skill helps you build

Passwordless sign-in done two ways — an emailed magic link or a one-time code — with the single-use, expiring, hashed tokens that keep either one safe.

The production takeaway

Store only a hash of the token, make it single-use and short-lived, and never leak whether an email exists.

Inside this skill

The full skill expands these implementation areas with decisions, edge cases, prompts, tests, and framework-specific code.

Authentication and account lifecycle

What this helps you build

A passwordless authentication flow with no stored passwords to leak. The user enters their email; you send either a clickable magic link or a one time code OTP ; clicking the link

🔒

Authentication and account lifecycle

When to use this

Reach for passwordless when a password adds risk without adding much value: Consumer apps where users forget passwords and bounce at the login wall. Email is already the identity —

🔒

Authentication and account lifecycle

The core idea

Both variants are the same token under different clothing. You generate a random secret, store only its hash , and hand the plaintext to the user — as a URL magic link or as a 6 di

🔒

Unlock the full implementation

Paid access includes the complete skill body, implementation prompt, common mistakes, production checklist, and code examples where this skill includes them.

Unlock all skills — $199 Browse the library