Clerk supports passwordless authentication with email links, which lets users sign in and sign up without having to remember a password. During sign in or registration, users will be asked to enter their email address. They will receive an email message with a link that can be clicked in order to complete the authentication process.
This one-click, link-based verification method is often referred to as an "email link". The process is similar to sending a one-time code to your users but skipping the part where they have to come back to your app and enter the code.
As a form of passwordless authentication, email links arguably provide greater security and a better user experience than traditional passwords. Since there are fewer steps involved in every authentication attempt, the user experience is better than one-time codes. However, email links are not without their downsides, and often still boil down to the email provider's "knowledge-based factor" instead of yours.
Email links are the default passwordless authentication strategy when using Clerk. They can be used to sign up new users, sign in existing ones, or allow existing users to verify newly entered email addresses to their profile.
Your users will still be able to choose an alternative authentication (or verification) method even after they've clicked the email link they received in their inbox. Email links are simply the default authentication method for email address-based, passwordless authentication in Clerk.
Email links can be used to easily authenticate users or verify their email addresses. Clerk will take care of the plumbing and allow you to offer a seamless experience to your users. The email link flow looks like this:
The user enters their email address and asks for an email link.
Your application waits for the verification result.
Clerk sends an email to the user, containing a link to the verification URL.
The user clicks the email link. This can happen on a different device from where they entered their email address if the Require the same device or browser setting is off.
Clerk will verify the user's identity and advance any sign-in or sign-up attempt that might be in progress. In case the verification fails, Clerk will inform the user.
Your user will now be signed in on the device that initiated the sign in.
If you would like email links work on any device, make sure the Require the same device or browser setting is off. When this setting is disabled, there's no constraint on where the link can be opened. For example, a user could try to sign in from their desktop browser, but open the link from their mobile phone. In this scenario, the user's sign in would be completed on the desktop browser from which it was initiated, not the mobile phone where it was verified. As a result, the user would be signed in on their desktop, not their phone.
As an additional security measure, we expire email links after a while. This way, we can guard against cases where a stale link might be compromised. From a user experience perspective, the email link flow is supposed to be nearly synchronous. Don't worry, your users will have plenty of time to complete the flow before the email link expires.
Clerk provides a highly flexible API that allows you to hook into any of the above steps while abstracting away all the complexities of an email link-based authentication or verification flow.
We take care of the boring stuff, like efficient polling, secure session management, and different device authentication so you can focus on your application code.
Email link authentication can be configured through the Clerk Dashboard. Go to User & Authentication > Email, phone, username. In the Authentication factors section of this page, choose Email verification link as the authentication factor.
Don't forget that you also need to make sure you've configured your application instance to request the user's email address. Users can receive email links only via email messages. Make sure you toggle on Email address under the Contact information section.
If you click on the Settings icon next to Email address, the email address configuration screen will pop open. You can toggle on Require if you want to make sure that all users have an email address associated with their profile.
You can also find the Verification methods section on this screen. Here, you can toggle on Email verification link if you would like to allow your users to verify their email with an email link. You can also toggle on Email verification code if you would like to allow your users to verify their email with a one-time passcode.
Note
Verification methods are different from Authentication strategies. Verification methods are used for verifying a user's identifier, such as an email address upon initial sign-up or when updating their profile. Authentication strategies are used for authenticating a user, such as when they are signing in to your application.
In case one of the above integration methods doesn't cover your needs, you can make use of lower-level commands and create a completely custom email link authentication flow.
Warning
You still need to configure your instance in order to enable email link authentication, as described at the top of this guide.
Registration with email links follows a set of steps that require users to enter their email address as an authentication identifier and click on a link that's delivered to them via email message.
If you would like to allow the sign-up process to be completed on a different device, make sure the Require the same device or browser setting is off. When this setting is disabled, users can enter their email address in their desktop browser, but click the sign-up email link from their mobile phone. The user's email address will still be verified and registration will proceed on the device from which the sign up was initiated.
Let's see all the steps involved in more detail.
Initiate the sign-up process by collecting the user's identifier. It must be their email address.
Start the email link verification flow. There are two parts to the flow:
Prepare a verification for the email address by sending an email with an email link to the user.
Wait until the email link is clicked. This is a polling behavior that can be canceled at any time.
Handle the email link verification result accordingly. Note that even if the email link is clicked on a different device/browser than the one which initiated the flow, the session will be created only on the original device.
The verification was successful so you need to continue with the sign-up flow.
The verification failed or the email link has expired.
Clerk provides a highly flexible API that allows you to hook into any of the above steps while abstracting away all the complexities of an email link-based sign-up flow.
Signing users into your application is probably the most popular use case for email links. Users enter their email address and then click on a link that's delivered to them via email message in order to sign in.
If you would like to allow the sign-in process to be completed on a different device, make sure the Require the same device or browser setting is off. When this setting is disabled, users can enter their email address in their desktop browser, but click the sign-in email link from their mobile phone. The user's email address will still be verified and authentication will proceed on the device from which the sign in was initiated.
Let's see all the steps involved in more detail.
Initiate the sign-in process, by collecting the user's authentication identifier. It must be their email address.
Start the email link verification flow. There are two parts to the flow:
Prepare a verification for the email address by sending an email with an email link to the user.
Wait until the email link is clicked. This is a polling behavior that can be canceled at any time.
Handle the email link verification result accordingly. Note that even if the email link is clicked on a different device/browser than the one which initiated the flow, the session will be created only on the original device.
The verification was successful so you need to continue with the sign-in flow.
The verification failed or the email link has expired.
Clerk provides a highly flexible API that allows you to hook into any of the above steps, while abstracting away all the complexities of an email link based sign-in flow.
Email links can also provide a nice user experience for verifying email addresses that users add when updating their profiles. The flow is similar to one-time code verification, but users need only click on the email link; there's no need to return to your app.
Collect the user's email address.
Start the email link verification flow. There are two parts to the flow:
Prepare a verification for the email address by sending an email with an email link to the user.
Wait until the email link is clicked. This is a polling behavior that can be canceled at any time.
Handle the email link verification result accordingly. Note that even if the email link is clicked on a different device/browser than the one which initiated the flow, the session will be created only on the original device.
The verification was successful.
The verification failed or the email link has expired.
Clerk provides a highly flexible API that allows you to hook into any of the above steps while abstracting away all the complexities of an email link-based email address verification.