Magic Links and issues with tokens expiring, security issues

Ok so it appears with Microsoft Outlook corporate email any Magic links sent to login will be examined and ‘used’ - therefore expiring them before the user has the opportunity to login… frustrating.

To see this what you need to do is get the link from the magic link the client receives, copy the link out of the email and send it to you - it will look something like this:

When clicked by the user receiving the email, it break the token and they get a message about the issue, io it doesn’t do anything at all depending on the browser (so I found out)

*side note - this is the same if you try to send the links in a Whatsapp message to a user (who’s helping you test) - this does the same thing and invalidates the token.

So to fix it what I did in my case is to create the workflow for the Magic Link, but i ticked the box to create the link only.

Now in a subsequent workflow action I recreate the same email, grabbed the link from the previous workflow step and extracted the token from the url and popped this in a URL parameter pointed at an intermediary page (more next on this) rather than send the whole link in the parameter - mainly because its ugly.

Link example:

On the intermediary page (redirect) I create a workflow action on page load to pause for 1 second and then I send them to an external page where I recreate the magic link url from the URL parameter and the url that is usually sent - looks like this:

{website home url} api/1.1/login-link?key=121212121212x1123131313

{website home url } is your website - use this because it adds or removed version-test etc

Ends up like this: (or without if live).

there will be refinements to this I am sure, but I needed a quick solution right now.

In the future they could change the security to follow JavaScript redirects, but I doubt it as there is an arbitrary delay, but be mindful just in case. And you could add a clickable screen, albeit annoying.

I hope this helps someone pain - lost me half a day.


Thanks for sharing. It may be more useful as a Tip though…


Hi, You’d better report as a BUG. This is an important issue, Bubble should care about !

Its not really a bug as such, it’s a security feature of the vendor software - in this case microsoft. They are looking at the links and following them to see if they are melicious and due to the ‘one time use’ of the links it expires them when the user clicks.

This method resolves the issue fine

How “Extracted the Token” works, Can you detail
As the output is always a link, Did you use truncated from end ?

sure thing, because it outputs a link instead of a key/token you have to extract that token from the url - I did it like this

results of (the magic link step) :split by (=) last item.

1 Like


This no longer seems to work, the only way around it for me at this stage is to put an intermediary button for the user to click to initiate the magic link - not ideal.

Or have the clients IT department put the domain in the whitelist of the Outlook security solution.

Ill update this if I find any other workarounds - there are a number of posts around the internet on this issue happening with a number of other systems that use magic links.

Appreciate it for keeping us in the loop @stuart4 :smiley:

1 Like