Authentication

Passwordless email login for Keycloak.

Email-link sign-in plus API-triggered magic links for invitations, email verification, and onboarding flows. Signed, single-use, server-validated.

PasswordlessSigned URLsAPI-TriggeredConfigurable TTLSingle-Use

Magic Link · architecture

The problem

Passwords are the worst part of onboarding.

Pain 1

Passwords kill conversion

Every password requirement at signup costs you new users — especially on B2B trials.

Pain 2

Onboarding is multi-step

Invitation, email verification, password setup — by the time the user finishes, they've forgotten why they signed up.

Pain 3

Reset flows are fragile

Forgot-password flows are an attack surface, a support cost, and a deliverability headache all at once.

Our approach

Make email the credential

One signed link, one session

The link is the credential. HMAC-signed, single-use, expires fast.

API-triggered for invites

Generate a magic link from your backend whenever you need one — onboarding, verification, recovery.

Drop-in login flow

Adds a 'Sign in with magic link' option to the standard Keycloak login screen.

Configurable everywhere

TTL, redirect URI, template, per-realm — tune it for the use case.

What teams use it for

Where magic links shine

Anywhere the user has an email and you'd rather not deal with a password.

Passwordless sign-in

First-class option on the login screen.

Invitations

Click → join organization. No setup.

Email change confirmation

Verify the new address before flipping the switch.

Account recovery

Without the password-reset blast radius.

Key capabilities

Everything a production magic link needs

HMAC-signed URLs

Tamper-evident. Server validates every link.

Single-use tokens

Token is consumed on first valid click.

Configurable TTL

Short for sign-in, longer for invitations.

API endpoint

POST /magic-link to generate a link from your backend.

Template integration

Plays nicely with the Themes extension for branded emails.

Per-realm config

Different rules per tenant when needed.

Get started

Three ways to ship Magic Link

Self-host

Run it yourself

Pull the JAR or pre-built container into your Keycloak deployment.

Docs

Read the guides

Install steps, configuration, API reference, and migration notes.

Hosted

Let us run it

Try the hosted Phase Two — all extensions installed and configured.

Instant MCP authorization using Keycloak.

Experimental SCIM 2.0 for Organizations.

Migrating from WorkOS to Keycloak.

Redis/Valkey instead of Infinispan.

A new Keycloak theme experience.

Run the Keycloak Admin UI locally.

What you'd pay vs Auth0.