Skip to content
Flows
Add Magic‑Link Passwordless Login
App Builder60-90 minutes
0/6 steps0%

Step 1 of 6

Configure Email Service

Enable the app to send real emails containing magic links.

💡

The app uses Node.js 18+, Express, and dotenv for configuration. Use a production‑ready provider (e.g., SendGrid or Nodemailer with SMTP).

Prompt capsule

1. Install the chosen email library (e.g., @sendgrid/mail or nodemailer). 2. In the project root, add the following environment variables to .env: EMAIL_PROVIDER (value: 'sendgrid' or 'smtp'), SENDGRID_API_KEY (if using SendGrid), SMTP_HOST, SMTP_PORT, SMTP_USER, SMTP_PASS, EMAIL_FROM. 3. Create a new module src/utils/email.js that: a. Loads env vars via process.env. b. Initializes the provider once. c. Exposes an async function sendMagicLink(email, link) that sends a real HTML email with subject "Your magic login link" and body containing the clickable link. d. Throws on any sending error. 4. Ensure the module is exported and can be imported elsewhere. 5. Add a unit test that calls sendMagicLink with a dummy email but catches the error; the test must confirm the function attempts to send (no console.log placeholders).

Paste into Claude · Complete implementation prompt with explicit requirements

Expected after this step

Email helper module ready and test confirming it can send a real email.

Should not happen

  • AI returns placeholder email code (console.log or dummy strings) instead of real provider calls.
  • Token generation uses insecure randomness or stores the raw token.
  • Migration is missing or does not hash the token; DB schema is incomplete.
  • Endpoints return success without actually storing or validating tokens.

Verify before continuing

Do not move on until every check is true. The complete button stays locked until then.

Do not continue if…

  • !AI returns placeholder email code (console.log or dummy strings) instead of real provider calls.
  • !Token generation uses insecure randomness or stores the raw token.
  • !Migration is missing or does not hash the token; DB schema is incomplete.
  • !Endpoints return success without actually storing or validating tokens.
  • !Front‑end form lacks proper action or fetch logic, or skips CSRF handling.
  • !Tests are mocked completely; no real email inbox or DB is used.
  • !Self‑audit comments are omitted, making verification of real work impossible.

If the AI messes this up

Use this when the AI fakes progress or breaks the feature. It forces a real fix.

If the AI sent only stub functions or console.log placeholders, ask it to replace them with a working SendGrid/Nodemailer implementation, reference the env vars, and include the self‑audit.

Your notes for this step