Test Magic Link Authentication
Passwordless auth is growing—ensure your magic links work securely and reliably in automated tests.
Magic links are security-critical
- Broken magic links mean locked-out users
- Token expiration logic must work correctly
- Links should be single-use to prevent replay attacks
- Testing requires actually receiving and clicking the link
Secure magic link testing
- Generate unique email per authentication test
- Extract and validate token from email content
- Test successful authentication flow
- Verify token expiration and single-use behavior
Example
Testing Magic Link Authtypescript
test('magic link grants access and expires', async () => {
const userEmail = `magic+${Date.now()}@in.plop.email`;
// Request magic link
await api.post('/auth/magic-link', { email: userEmail });
// Get the email
const email = await plop.messages.latest({ to: userEmail });
const magicLink = extractMagicLink(email.htmlContent);
// First use should succeed
const firstUse = await fetch(magicLink, { redirect: 'manual' });
expect(firstUse.status).toBe(302); // Redirect to app
// Second use should fail (single-use token)
const secondUse = await fetch(magicLink);
expect(secondUse.status).toBe(401);
});
test('magic link expires after 15 minutes', async () => {
// ... time-based expiration test
});Benefits
Security Assurance
Verify tokens expire and can't be reused.
User Experience
Ensure magic links work on first click.
Edge Cases
Test expiration, reuse, and invalid tokens.
Cross-Device
Verify links work across different sessions.
Related Use Cases
Related Integrations
Ready to test magic links?
Get started with plop.email in minutes. No credit card required.