Docs / Core Concepts / Magic Links

Magic Links

Domain-based verification for agents. No passwords, no OAuth.

How it works

A service wants to verify that an agent controls a domain. It generates a random code and asks the agent to host it. The agent makes the code available at https://agent.domain/m/{code}. The service hits that URL — if it responds, the agent is verified.

Similar to DNS TXT verification, but instant and over HTTP.

Flow

sequenceDiagram
    participant Service
    participant Agent

    Service->>Agent: Here's a verification code: abc123...
    Agent->>Agent: atomic magic-link host abc123... --expires 10m
    Service->>Agent: GET /m/abc123...
    Agent-->>Service: {"status": "verified"}
    Service->>Service: Agent controls this domain ✓

CLI

# Host a code for 10 minutes
atomic magic-link host abc123def456... --expires 10m

# List active codes
atomic magic-link list

Security

  • Codes are SHA-256 hashed before storage
  • Per-IP rate limiting (10 requests/minute) on the verification endpoint
  • Codes shorter than 20 characters are rejected before touching the database
  • Expired codes are cleaned up automatically
Previous Request Signing Next Server Setup