Skip to content

Magic Link Login

Magic Link Login is a feature that allows users to log in if they forget their password.


Magic Link Login functionality is enabled by default. You can change it within the app/Config/Auth.php file.

public bool $allowMagicLinkLogins = true;

By default, Magic Link can be used for 1 hour. This can be easily modified in the app/Config/Auth.php file.

public int $magicLinkLifetime = HOUR;


You need to configure app/Config/Email.php to allow Shield to send emails. See Installation.

Magic Link logins allow a user that has forgotten their password to have an email sent with a unique, one-time login link. Once they've logged in you can decide how to respond. In some cases, you might want to redirect them to a special page where they must choose a new password. In other cases, you might simply want to display a one-time message prompting them to go to their account page and choose a new password.

Session Notification

You can detect if a user has finished the magic link login by checking for a session value, magicLogin. If they have recently completed the flow, it will exist and have a value of true.

if (session('magicLogin')) {
    return redirect()->route('set_password');

This value sticks around in the session for 5 minutes. Once you no longer need to take any actions, you might want to delete the value from the session.



At the same time the above session variable is set, a magicLogin event is fired off that you may subscribe to. Note that no data is passed to the event as you can easily grab the current user from the user() helper or the auth()->user() method.

Events::on('magicLogin', static function () {
    // ...