Skip to main content

Magic Links

Magic links are the way customers authenticate in Readybuild — instead of a password, they receive a secure, time-limited link by email that logs them in automatically when clicked. Magic links are used across the product and do not always require a client portal account.

When a magic link is needed, Readybuild generates a unique, single-use token and embeds it in a URL. The email sent to the customer contains a button or link pointing to that URL. When the customer clicks it:

  1. Readybuild validates that the token exists, has not expired, and has not already been used
  2. The token is consumed immediately — it cannot be used a second time
  3. The customer is authenticated and taken directly to the relevant page

If the customer already has an active session when clicking a magic link, the token is discarded and the existing session continues uninterrupted.

Contact Record Requirements

For a customer to receive a magic link email and successfully log in, their contact record must be active. If the contact is inactive:

  • Readybuild will not send them any magic link emails
  • If they somehow have a link, it will not work — login will be refused

This applies to all magic link types: portal login, contract signing, invoice emails, selections, and appointment management. Reactivating the contact record restores full access.

Magic links are sent in several distinct contexts. Some require the customer to have portal access enabled; others work independently.

Client Portal Access

Portal invitation — When you enable portal access for a contact, Readybuild automatically sends a "Client Portal Access" email to the contact's email address (and partner email, if on file). Each recipient gets their own link. Clicking it creates a portal session and takes the customer to their project dashboard.

Portal login page — When a customer with portal access visits the portal login page and enters their email, Readybuild sends a "Client Portal Login Link" email. This is how returning customers log back in if their session has expired.

Both of these require that portal access is enabled on the contact record.

Document Signing and Review

These magic links are sent as part of your normal workflow and work even if the customer does not have a portal account.

Contract signature requests — When you send a contract for electronic signature, each contact signee receives an email with a magic link that takes them directly to the contract. They can review and sign without navigating the portal.

Work Scope review — When you send a scope of work for customer review, the email contains a magic link directly to the review page.

Selections emails — When you send a selections email asking the customer to make product choices, the magic link takes them directly to the selections review page.

Invoice emails — When you send an invoice to a customer, the email contains a magic link directly to the billing page so they can view and pay without logging into the portal separately.

Link expiration — A magic link is valid for 7 days from when it was sent. After 7 days, the link in the email no longer works.

Session duration — Once a customer successfully authenticates using a magic link, their session remains active for 30 days on a sliding window. Activity within the session extends it; inactivity lets it expire. Sessions are tied to the specific device and browser used to click the link — if the customer switches to a different device or browser, they will need to request a new link by entering their email address on the login page or document page.

Single use — Each magic link can only be used once. After a customer clicks it and authenticates, that specific link is permanently consumed. Clicking the same email link again will show an error.

Multiple valid links — When a new magic link is sent to the same customer, any previously sent links that have not yet expired remain valid. All unexpired links for the same contact and purpose work independently — there is no need to use the most recently sent one.

Primary and Partner Emails

If a contact has both a primary email and a partner email on file, Readybuild sends separate magic links to each address. Each link is tied to the specific email address it was sent to — the primary link authenticates as the primary contact and the partner link authenticates as the partner. Both can access the same project and documents.

Rate Limiting

To prevent abuse, Readybuild limits magic link requests to 3 per hour per contact, per email address, per purpose. If a customer requests a new link too frequently, they will need to wait before another can be sent. The portal login page and document login dialogs will show an appropriate message in this case.

An expired link is not a lockout. Customers can always request a brand new link and regain access — no action is needed on your end. What the customer sees depends on where the link was taking them:

Portal login links — The portal login page is shown with an error message. The customer enters their email address and clicks Sign In With Email to receive a fresh link immediately.

Document and invoice links — A login dialog appears over the document, prompting the customer to enter their email. Readybuild sends a new link directly back to the same document — the customer does not lose their place.

Scheduling links — The customer sees an error and can contact you directly to make changes to their appointment.

tip

If a customer reports that their link isn't working, ask them to enter their email on the page where they got stuck — they'll receive a new link right away. You can also resend the email from Readybuild to generate a fresh token.

Security

  • No passwords stored or transmitted — Authentication is entirely token-based
  • Cryptographically secure tokens — Tokens are generated using a cryptographically secure random generator and are 64 characters long
  • HTTPS only — All magic link URLs use HTTPS
  • Contact-scoped — A token is tied to a specific contact and email address; it cannot authenticate as a different person
  • Automatic cleanup — Expired tokens are periodically removed from the system

Troubleshooting

Customer says the link doesn't work

  • Resend the email from Readybuild — this generates a new token
  • Ask the customer to check their spam or junk folder for the new email
  • Confirm you have the correct email address on the contact record

Customer has two email addresses and used the wrong link

  • Both links are valid independently — the customer should use the link sent to the email address they want to authenticate with
  • If one email is incorrect, update the contact record and resend

Customer clicks the link but ends up back at the login form

  • Their session may have already been established from a previous click — they may already be logged in and are being redirected normally
  • If not, the token may have already been used; resend the email

Customer is logged in on one device but can't access on another

  • Sessions are device-specific — a login on a phone does not carry over to a computer or a different browser
  • The customer simply needs to enter their email on the login page or document page to receive a new link for that device

Customer never receives any magic link emails

  • Check that the contact record is active — inactive contacts do not receive magic link emails and cannot log in
  • Reactivate the contact record if needed, then resend

Customer reports "too many requests" error

  • The rate limit (3 per hour) has been reached for that contact and purpose
  • Wait at least one hour before resending, or have the customer wait before requesting again from the login page