# Magic link postlogin Complete passwordless authentication using a magic link. This is the second step in the magic link passwordless login flow for local users. After the user clicks the link in their email, this endpoint validates the token and authenticates the user. Request body must include: - token: The token ID extracted from the magic link. - invitationToken (optional): Include if the user is signing up through an invitation. - recaptchaToken (optional): Required if reCAPTCHA is enabled for login. Use this endpoint to complete the magic link login flow and receive authentication credentials, including a JWT and a refresh cookie. Endpoint: POST /resources/auth/v1/passwordless/magiclink/postlogin Security: bearer ## Request fields (application/json): - `token` (string, required) One time code to login with - get it from the email sent after prelogin request - `recaptchaToken` (string) - `invitationToken` (string) ## Response 201 fields (application/json): - `tokenType` (string) - `otcToken` (string) - `mfaRequired` (boolean, required) - `mfaToken` (string) - `resetPasswordToken` (string) - `passwordExpiresIn` (number) - `notificationPeriod` (number) - `mfaEnrolled` (boolean) - `mfaDevices` (object) - `mfaDevices.webauthn` (array, required) - `mfaDevices.webauthn.id` (string, required) - `mfaDevices.webauthn.deviceType` (string, required) Enum: "Platform", "CrossPlatform" - `mfaDevices.webauthn.name` (string, required) - `mfaDevices.phones` (array, required) - `mfaDevices.phones.phoneNumber` (string, required) - `mfaDevices.authenticators` (array, required) - `mfaDevices.emails` (array, required) - `mfaDevices.emails.email` (string, required) - `mfaStrategies` (object) - `qrCode` (string) - `recoveryCode` (string) - `accessToken` (string, required) - `refreshToken` (string, required) - `expiresIn` (number, required) - `expires` (string, required) - `userId` (string) - `userEmail` (string) - `emailVerified` (boolean) - `isBreachedPassword` (boolean)