Magic Login Pro provides a REST API that allows programmatic generation of login links and optional delivery via email. It is ideal for custom front-end workflows, mobile app integration, and automation scenarios.
Enable API Access #
To use the REST API, enable it from the WordPress admin panel:
- Go to Settings → Magic Login PRO → Login (tab).
- Toggle Enable REST API.
Once enabled, the plugin will register the REST endpoint.
Authentication #
You will need to use “Basic Auth” as the authorization method, which you can easily set up by creating an application token within your WordPress.
Only users with the edit_user capability can request login links on behalf of others. For example:
- Administrators can generate login links for any user. (Superadmins if Magic Login PRO activated on multisite)
- Subscribers can only generate links for themselves.
Endpoint Details #
- URL:
https://yourdomain.com/wp-json/magic-login/v1/token - Method:
POST
Required Headers #
Authorization: Basic base64(user:application-password)
Content-Type: application/jsonRequest Parameters #
| Parameter | Type | Required | Description |
|---|---|---|---|
user | string | Yes | User ID, username, email, or phone number. |
send | boolean | No | If true, sends the login link via email or SMS (if SMS is enabled). |
redirect_to | string | No | Optional URL to redirect to after login. |
qr | boolean | No | If true, includes a QR code URL in the response. |
qr_img | boolean | No | If true, includes an HTML <img> tag with the QR code in the response. |
Example Request
curl -X POST https://yourdomain.com/wp-json/magic-login/v1/token \
-H "Authorization: Basic <base64-credentials>" \
-H "Content-Type: application/json" \
-d '{
"user": "[email protected]",
"send": true,
"redirect_to": "https://yourdomain.com/dashboard",
"qr": true,
"qr_img": true
}'Response:
{
"link": "https://yourdomain.com/wp-login.php?user_id=12&token=...",
"mail_sent": true,
"qr": "https://yourdomain.com/magic-login-qr?url=...",
"qr_img": "<img src=\"https://yourdomain.com/magic-login-qr?url=...\" width=\"150\" alt=\"Scan to login\">"
}Error Response #
If no user is found:
{
"code": "missing_user",
"message": "No account matches the given user."
}
HTTP Status Code: 422
Notes
- Phone number login is supported if SMS login is enabled.
- The
userfield accepts user ID, username, email, or E.164-formatted phone numbers (e.g.,+1234567890). - Use
qrandqr_imgto simplify front-end QR code integrations. - The QR code URLs returned are compatible with any browser or email client.
This REST API is perfect for building custom login interfaces while retaining the security and simplicity of Magic Login.
Rate Limit #
Magic Login PRO includes built-in API rate limiting starting from version 2.6.2. If you use Magic Login’s API endpoints — either directly or through an integration — we strongly recommend turning this feature on.
Why Rate Limiting Is Important #
Rate limiting helps protect your site from automated abuse. Without it, someone could:
- Try to guess which email addresses or phone numbers exist on your site
- Repeatedly trigger token generation
- Send a large number of requests to slow down your server
By limiting how many requests can be made in a short amount of time, these types of attacks become much harder.
How Rate Limiting Works #
When you enable rate limiting:
- Each API request is linked to a hashed version of the visitor’s IP address
(Only the hash is stored — never the raw IP, so it’s privacy-friendly and GDPR-safe.) - The plugin keeps track of how many requests that client makes during the time window you set.
- If the number of requests passes the limit, the client is temporarily blocked from making more requests.
- The block is automatically lifted after the cooldown period ends.
There is nothing you need to clean up manually — everything resets on its own.