Skip to main content

Overview

The Redirect Allowlist is a security feature that restricts which URLs users can be redirected to after completing OAuth authentication. When enabled, Magic will only allow redirects to URLs that are explicitly included in your allowlist.

Security Benefits

Phishing Prevention

Prevents attackers from redirecting users to malicious websites or phishing pages during OAuth flows.

Data Protection

Protects sensitive authentication data by ensuring users are only redirected to trusted destinations.

How It Works

When a user completes OAuth authentication:
  1. URL Validation: Magic checks the redirect URL against your allowlist
  2. Security Check: Only pre-approved URLs are allowed for redirection
  3. User Safety: Users are protected from being redirected to malicious sites
OAuth Only: The Redirect Allowlist is only relevant when using OAuth providers (like Google, GitHub, etc.) as your authentication method. It doesn’t apply to non-OAuth authentication methods.

Usage

Dashboard Configuration

1

Access Your Application

Navigate to the Magic Dashboard and select the application you want to configure.
2

Open Settings

Go to the Settings tab of your selected application.
3

Find Allowlist Section

Scroll down to the “Allowed Origins & Redirects” section.
4

Enable Redirect Allowlist

Toggle the Redirect switch to enable it.
5

Add Redirect URLs

In the text input field that appears, add the redirect URLs you want to allow. You can add multiple URLs by separating them with commas or line breaks.
6

Save Changes

Click Save to apply your redirect allowlist configuration.

URL Formatting

When adding redirect URLs to your allowlist, follow these formatting rules:
  • Web URLs: https://example.com, https://app.example.com/path
  • Custom schemes: myapp://, myapp://callback
  • Mobile deep links: myapp://open, myapp://auth/callback
  • Universal Links: https://example.com/app-link
  • Localhost: http://localhost:3000, http://localhost:3000/callback
https://example.com
https://app.example.com/callback
https://staging.myapp.com/auth/success
myapp://auth/callback
expo://
http://localhost:3000
  • Explicit paths: https://example.com does not include https://example.com/path
  • No query strings: Query parameters and hash fragments are ignored during validation
  • Wildcards: Use https://*.example.com for subdomain wildcards
  • Protocols: Include the full protocol (https:// or http://) for web URLs

Mobile Applications

For mobile applications, you can use both Deep Links and Universal Links (App Links on Android). We recommend Universal Links/App Links for increased security.
Mobile Deep Links: Use custom URL schemes like myapp:// for deep linking within your mobile app.
Universal Links: Use HTTPS URLs that can open your mobile app when available, falling back to web if the app isn’t installed.

Programmatic Configuration

You can manage your redirect allowlist programmatically using the Magic API. This is useful for:
  • Automated deployments: Add redirect URLs as part of your CI/CD pipeline
  • Bulk management: Add or remove multiple redirect URLs at once
  • Integration: Manage redirect URLs from your own admin interface

Prerequisites

To use the programmatic API, you’ll need your Secret Key:
1

Access Your Application

Navigate to a Magic app from the main dashboard landing page
2

Get Your Secret Key

On the app home page, scroll to the API Keys section
3

Copy Secret Key

Copy your Secret Key from the API Keys section
Security: Keep your Secret Key secure and never expose it in client-side code or public repositories.

API Operations

curl -X GET 'https://api.dashboard.magic.link/v1/admin/access_whitelist' \
-H 'X-Magic-Secret-Key: sk_live_XXXXXXXX'
I