The magic-link endpoint triggers a sign-in email to the supplied address. When the user clicks the link in that email, OpenBookings verifies the token and redirects them to the URL you specify. The link is valid for 15 minutes. This is the only credential-based auth flow available over the REST API — there is no password endpoint.
Endpoint
POST https://openbookings.co/api/auth/magic-link/send-magic-link
| Header | Value |
|---|
Content-Type | application/json |
Request body
The user’s email address. A magic-link sign-in email is sent to this address.
The URL the user is redirected to after clicking the magic link and completing verification. Use your application’s home page or the page the user was trying to reach.
Response
200 — success
The API accepted the request and dispatched the email. The response body confirms the operation.
A 200 response means the request was valid and the email was queued — it does not confirm that the user’s inbox received it. If the address does not exist in the system, the email may still be sent as part of the sign-up flow.
Magic-link expiry
Magic links expire after 15 minutes. If the user attempts to sign in after that window, the link will be invalid. Prompt the user to request a new link if they receive an expiry error.
Code examples
curl --request POST \
--url https://openbookings.co/api/auth/magic-link/send-magic-link \
--header 'Content-Type: application/json' \
--data '{
"email": "user@example.com",
"callbackURL": "https://openbookings.co"
}'
Full sign-in flow
For a step-by-step walkthrough of how a magic-link sign-in maps to the full user session lifecycle, see Authentication.