Magic Link Sign-In
How passwordless sign-in works for members, plus troubleshooting when links don't arrive.
Members sign into the portal with a magic link — no passwords. They enter their email, get a one-time link, click it, and they're in. Sessions last 30 days, so most members rarely sign in more than once a quarter.
The flow, end to end
Member visits the portal
Either the default subdomain or your custom domain. They see a single "Email address" field.
They enter their email
The portal looks up the contact in your CRM by email. If found, a magic link is generated and emailed. If not found, the portal still shows "Check your email" — we don't reveal whether an email exists in your system, to avoid enumeration.
The link arrives
Sent from your transactional sender (
[email protected]if you've set up email identity, otherwise from[email protected]). The link is single-use and expires after 15 minutes.They click the link
Verifies the token, attaches a session cookie, and redirects to the portal home. The session is valid for 30 days.
They stay signed in
Subsequent visits don't require a new link unless they sign out, clear cookies, or the session expires.
Why magic links instead of passwords?
- Members don't visit often
A typical member sees the portal 4–8 times a year. Forgotten passwords would be the #1 support ticket.
- No password storage
OnCloudWine never stores member passwords. There's no breach surface.
- Email is already the identity
The contact's email is how you reach them anyway. Using it for sign-in is the simplest possible flow.
- Trusted-device feel
The 30-day session means returning members are signed in without friction.
What members see
members.yourwinery.com
Sign-in form — single email field, no password.
- Step 1
- Enter your email address
- Step 2
- Check your email for a sign-in link
- Step 3
- Click the link to sign in
Troubleshooting
When a member says "I'm not getting the link", check these in order:
Verify the email matches their contact
Different capitalization, typos, or an old address — search Contacts to confirm. If they're using an email that isn't on their contact, no link will be sent (and no error shown).
Check spam
Magic links sometimes land in spam, especially before you've configured SPF/DKIM for your custom email domain. Ask the member to mark "not spam" if found.
Confirm transactional email is healthy
From the activity log, filter by Type: WEBHOOK and look for recent bounce or rejection events from your email provider.
Re-send from the dashboard
Open the contact's detail page and click Send sign-in link. The same magic link is generated on demand and emailed to the address on file.
Last resort: temporary email change
If their email itself is broken, update the contact email to a working address and ask them to sign in there. They can change it back from the portal once signed in.
Link security
| Property | Behavior |
|---|---|
| Single-use | Each link works exactly once. After click, it cannot be reused. |
| 15-minute expiry | Links expire 15 minutes after being sent. Members can request a new one any time. |
| IP-bound (optional) | You can require the link to be opened from the same IP it was requested. Off by default. |
| Same-tab only | Links are designed to be opened in the same browser/tab they were requested in. Cross-device clicks still work but with a confirmation step. |
Sessions
After a successful sign-in, the member has a session cookie:
- 30 days expiration
- Refreshed on each visit (sliding window)
- Bound to the device — signing in on another device creates a separate session
- Revoked if you change the contact's email
Forced sign-out
If you need to force a member to re-authenticate (suspected account-takeover, payment dispute, etc.):
Open the contact's detail page
From Contacts.
Open the actions menu
Click
⋯next to the contact name.Choose Revoke sessions
Every active session for the contact is invalidated immediately. They'll need to request a new magic link the next time they visit.