Magic Token Explained
What is Magic Token?
Magic Token is RealVco mVPSโs simplified login mechanism. Traditional username/password requires remembering multiple pieces of information, while Magic Token lets you log in with just one click.
How It Works
โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ
โ Link in โโโโโ>โ Magic Link โโโโโ>โ Automatic โ
โ your email โ โ (with Token)โ โ Login โ
โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโWhen you click the Magic Link in your email:
- Browser opens link โ URL contains a one-time or short-term authentication token
- System verifies token โ Confirms token is valid and not expired
- Session established โ Automatically logs in and stores credentials in browser localStorage
- Subsequent auto-login โ As long as token hasnโt expired, opening the page again automatically logs you in
Token Types
RealVco uses two types of tokens:
| Token Type | Purpose | Validity |
|---|---|---|
| Magic Link Token | First-time login | 24 hours |
| Session Token | Maintains login state | 30 days |
Magic Link Token
- Appears in the installation completion notification email
- Embedded in Admin Panel and AI partner access URLs
- One-time use, becomes invalid after use
- Expires after 24 hours
Session Token
- Automatically stored in browser after successful login
- Direct access to URLs will auto-login thereafter
- Expires after 30 days of non-use
- Requires Magic Link again after clearing browser data
Security Considerations
Why Magic Token is Secure
While โone link to loginโ might sound insecure, there are multiple layers of protection:
| Security Mechanism | Description |
|---|---|
| HTTPS Encryption | All links use HTTPS, tokens are encrypted during transmission |
| Unpredictable Tokens | Cryptographically secure random generation, cannot be guessed |
| Short-term Validity | Magic Link automatically expires after 24 hours |
| One-time Use | Becomes invalid immediately after use, cannot be reused |
| IP Restriction | Token is bound to the IP range of first use, reducing theft risk |
Protect Your Magic Link
โ ๏ธ Important Reminders:
- Donโt share your Magic Link with untrusted people
- Donโt post publicly (e.g., on forums, GitHub)
- Regularly check login records in Admin Panel
- If you suspect leakage, immediately redeploy the container to generate a new token
FAQ
Q: What if I forgot to save the Magic Link?
A: There are two ways to get it back:
- Copy from Admin Panel: After logging into Admin Panel, you can copy each containerโs Magic Link
- Contact support: Provide proof of purchase, support can resend the installation email
Q: Can I use it on multiple devices?
A: Yes! Magic Link can be used on multiple devices. Each device will establish an independent Session Token.
Q: What if I clear browser data?
A: Youโll need to use the original Magic Link to log in again. We recommend saving the installation email in a safe place.
Q: How do I log out?
A: There is currently no active logout feature. If you need to force logout, you can:
- Clear browser localStorage
- Or redeploy the container (generates new token, old one becomes invalid)
Technical Details (For the Curious)
Tokens use JWT (JSON Web Token) format, containing the following information:
Header: { "alg": "HS256", "typ": "JWT" }
Payload: {
"sub": "container_id",
"iat": 1234567890,
"exp": 1234654290,
"role": "admin"
}
Signature: HMACSHA256(base64(header) + "." + base64(payload), secret)Tokens are verified server-side to prevent forgery.