Magic link
A unique URL that authenticates a user (or group member) without requiring a password.
Definition
A magic link is a one-time-use or per-group authenticated URL that lets a user access a private resource without entering a password. In EvenRound and similar no-signup expense apps, each group member receives their own magic link - typically delivered via email, SMS, or a copy-paste from the group creator. Clicking the link sets a secure HTTP-only cookie in the user's browser, which scopes them to that specific group. The link is reusable from the same browser indefinitely; if the cookie expires or the user switches browsers, they request a new link via email. Magic links are the standard authentication pattern for no-signup apps because they preserve the 'no account, no password' experience while still providing per-user identity within a group. They're cryptographically secure as long as they're delivered over a secure channel (email is generally fine for this purpose) and the link itself is sufficiently long-random.
Examples
- Group creator shares a single 'invite link' that anyone can click to join the group as a new member; once joined, each member gets their own per-user magic link.
- User clears cookies or switches browsers; they request 'send me my magic link' on the group page and receive a fresh link via email.
- Magic links typically expire after 30-90 days of inactivity, requiring re-issuance. Some apps use rolling tokens that refresh on each visit.