Skip to main content

Magic Link for Keycloak

Email-link passwordless authentication for Keycloak, plus an API for issuing magic links from your application — for invitations, onboarding, and account recovery flows.

Read the guide

The problem

Keycloak has no built-in email magic link flow

"Passwordless" in upstream Keycloak means WebAuthn or OTP — neither of which is what users mean when they ask for "send me a login link."

  1. The Slack/Notion UX is missing

    The dominant SaaS login pattern of 2026 — type your email, click a link, you're in — has no first-party support in Keycloak.

  2. Teams rebuild it badly

    Everyone ends up writing their own version, with custom auth flows, ad-hoc email integration, and inconsistent expiry and single-use semantics.

  3. Invitation flows go nowhere

    Without a programmatic way to issue links, invitation, onboarding, and recovery flows fall back to passwords or password resets.

Why we built it

An authenticator and an API, in one extension

We built Magic Link to fill two gaps at once: the user-driven "email me a link" flow and the server-driven "issue a link to this user" API.

  1. Drop-in authenticator

    Use as a standard step in any Keycloak authentication flow. Replaces — or complements — the password authenticator.

  2. Server-side issue API

    Request a link from your backend and email it through your existing transactional mail pipeline. The piece that actually unlocks invitations and onboarding.

  3. Auto-create on first click

    Optionally create the user account on first redemption. Combined with the issue API, that's a full invitation flow in one round trip.

  4. Recovery and step-up

    Time-bound, single-use, audit-logged. Use as account recovery or as step-up re-authentication before sensitive actions.

What teams use it for

Passwordless login

Users type their email, get a one-time link, click it, and they're in. The Slack/Notion/Linear pattern, on Keycloak.

Invitation flows

Issue a magic link from your backend when someone is invited to an organization. They click and land already authenticated and onboarded.

Step-up re-authentication

Trigger an email-link re-auth before sensitive actions — payment changes, role assignment, account deletion — without forcing a password.

Account recovery

Use as a recovery path when users lose access to their primary credential. Time-bound, single-use, audit-logged.

Key capabilities

Authenticator + API

Use as a standard authenticator in any Keycloak flow, and as a REST API to issue links server-side. One extension, both modes.

Auto-create users on first link

Optionally create the user account on first click. Combined with the invitation use case, this is the entire onboarding flow in one round-trip.

Get started

Install from GitHub

Drop the JAR into your Keycloak providers directory, or build from source.

p2-inc/keycloak-magic-link

Read the guide

Walkthrough of the authenticator setup and API usage.

Magic Link blog post

Skip the install

Phase Two managed Keycloak ships with Magic Link enabled and the issue-link API ready to use.

Try the hosted version

Ready to Try Keycloak?
Create Your Free Deployment Today.