Behind the build: Building passwordless auth for developers

Founding Engineer

No items found.

A couple of months ago, we started rethinking authentication from the ground up.

What if auth could be secure, modern, and developer-friendly, freeing you from boilerplate code, heavy migrations, or disruptive architectural changes?

That question led us to headless, modular authentication, and to headless passwordless as one of its cleanest, most intuitive building blocks.

Why we built a passwordless module

Most teams hold on to traditional auth longer than they want to. Not because they think auth methods like passwords are perfect, but because overhauling an existing auth stack to make timely upgrades feels like open-heart surgery.

Switching to modern methods like passwordless or passkeys usually means multi-month projects, cross-team coordination, and significant risk. Too often, those projects stall because the cost in developer hours, migrations, and downtime is simply too high.

That is why we built our passwordless auth module to be headless and modular to give teams a timely upgrade when they want one.

Headless means you keep your UI and flows as they are while Scalekit handles login methods like Magic links or Email OTP behind the scenes.
Modular means you can add just what you need — start with passwordless today, and add passkeys or MFA later, without touching your core user architecture.

It gives teams a flexible head start. You can ship a secure, modern auth method in days instead of months, then iterate toward a fully modern stack at your own pace.

Three APIs. That’s it.

Scalekit integrates seamlessly with your existing identity setup — no migrations required. Whether your user data lives in Firebase, Supabase, Postgres, or a custom database, Scalekit simply adds a passwordless layer on top. It takes care of token lifecycles, email delivery, OTP fallbacks, and abuse prevention, all managed from a single, centralized dashboard. In practice, the entire flow boils down to just three secure, server-friendly API calls.Step 1: Send the first passwordless email.

Step 1: Send the first passwordless email

Our first prototype was dead simple:

Collect an email → send a magic link → verify → done.

curl -L '/api/v1/passwordless/email/send' \ -H 'Content-Type: application/json' \ -H 'Authorization: Bearer ' \ --data-raw '{ "email": "dev@example.com", "expires_in": 300, "state": "build-2025", "template": "SIGNIN", "magiclink_auth_uri": "https://yourapp.com/passwordless/verify" }'

‍

The response gives you a scoped ^{auth_request_id}, ready for verification.

No migrations. No refactoring. No drama.

Step 2: Verify the user

Once the user clicks their magic link or enters their code, you verify with one call:

curl -L '/api/v1/passwordless/email/verify' \ -H 'Content-Type: application/json' \ -H 'Authorization: Bearer ' \ --data-raw '{ "auth_request_id": "auth_1a2b3c", "code": "123456" }'

Step 3. Handling resends gracefully

Not every user nails it on the first try — emails get buried, links expire, codes get mistyped. That’s why we built a simple resend flow right into the API.

With one call, you can issue a fresh verification email — either with a new one-time code, a new magic link, or both (if you’ve enabled that option in your dashboard):

curl -L '/api/v1/passwordless/email/resend' \ -H 'Content-Type: application/json' \ -H 'Authorization: Bearer ' \ --data-raw '{ "auth_request_id": "auth_1a2b3c" }'

The response mirrors the original send, with updated expiration details and passwordless type.

Good to know:

Fresh credentials on resend: Enable this in the dashboard to rotate codes and links each time for extra security.
Rate limits: Max two emails per minute per user to prevent abuse.

This small addition made a huge difference in production — reducing support tickets and improving the overall login experience without adding complexity to the flow. A few hundred milliseconds later, you have a signed session token, ready to power your app’s login flow.

Drag-and-drop, no refactor required

Because Scalekit is headless, adding passwordless feels like dropping in a new widget:

No breaking changes for existing users
No rewriting your front-end or API layer
No migrating stored credentials

Your users see a slick, modern login. You keep the same clean session API you already know.

Security from the start

We baked in security from day one:

Replay protection for magic links
Rate limits to prevent abuse
Session signing consistent across all modules

Secure defaults, without extra configuration.

Scaling in production

When we rolled passwordless into our own dashboard and internal tools, we saw:

Traffic spikes handled seamlessly during newsletter-driven login surges
Staging and production parity that made testing painless
Developer adoption across teams because setup took hours, not weeks

Headless, modular architecture made it easy to scale quickly without touching unrelated parts of the system.

What’s next

We are already building:

Passkey integration with the same modular APIs
MFA support with methods like mobile OTP
Improved observability for usage tracking and debugging

Passwordless is just the start. We are building toward auth as infrastructure — modular, flexible, and built to grow with your app.

FAQs

What are the main benefits of headless authentication architecture?

Headless authentication separates the user interface from the backend logic, allowing developers to maintain full control over the frontend experience. This architecture ensures that you can implement modern login methods like magic links or email OTP without redesigning your existing UI or altering core application flows. By decoupling these layers, Scalekit provides the necessary infrastructure for security and session management while your team focuses on building unique brand interactions. This approach minimizes technical debt and allows for rapid deployment of secure authentication features across diverse platforms and applications.

How does Scalekit integrate with my existing user database?

Scalekit is designed to layer directly on top of your current identity setup, whether you use Firebase, Supabase, Postgres, or a custom database. There is no requirement for complex data migrations or schema changes. The system acts as a modular service that handles the passwordless lifecycle, including token generation and email delivery, while referencing your existing user records. This seamless integration allows engineering teams to upgrade their authentication stack in days rather than months, avoiding the risks and downtime typically associated with major architectural overhauls of identity management systems.

Does implementing passwordless auth require migrating stored user credentials?

No, implementing passwordless authentication through Scalekit does not require you to migrate any stored credentials or user data. Because the solution is headless and modular, it functions as a complementary layer to your existing architecture. You can continue using your current database for user profiles while Scalekit manages the magic link and OTP verification processes. This eliminates the need for high risk migration projects and allows your team to introduce secure, modern login methods without touching the core user data structure, ensuring a smooth transition for both developers and end users.

What security measures protect the headless passwordless login flow?

Security is integrated into the core of the passwordless module through several built in mechanisms. The system employs replay protection for magic links to ensure they cannot be reused maliciously. Additionally, automated rate limiting prevents abuse by restricting the number of authentication emails sent to a single user. Every session is protected by consistent signing across all modules, and developers can enable fresh credential rotation on every resend request. These secure defaults provide robust protection against common threats without requiring extensive manual configuration, making it an ideal choice for CISOs and security conscious engineering leads.

Can I add passkeys or MFA to this module?

Yes, the modular design of Scalekit allows you to expand your authentication capabilities as your requirements evolve. You can start with passwordless email links today and easily add passkey integration or Multi Factor Authentication, such as mobile OTP, at a later date. Since the APIs are built to be extensible, adding these features does not require a complete rewrite of your core authentication logic. This flexibility enables engineering managers to iterate toward a fully modern security stack at their own pace, ensuring the application remains future proof as new standards and user preferences emerge.

How does the system manage email delivery and resends?

Scalekit simplifies the complexities of email delivery by handling the entire lifecycle through a single centralized dashboard. The API includes a dedicated resend endpoint that handles expired links or mistyped codes gracefully. When a user requests a new email, the system can automatically issue fresh credentials with updated expiration details. This built in logic reduces the burden on your backend services and minimizes support tickets by providing a reliable self service recovery path for users. The entire process is optimized for high deliverability and includes rate limits to prevent spam and system abuse.

What steps are needed to verify a user session?

The verification process is streamlined into three secure API calls that handle the entire authentication lifecycle. First, you initiate the request by sending a passwordless email, which generates a scoped request identifier. Once the user interacts with the magic link or enters their code, your application makes a verification call to Scalekit. If successful, the system returns a signed session token that powers your application login flow. This server friendly approach ensures that you have a secure, verifiable identity without managing complex token lifecycles or underlying cryptography, allowing for a fast and reliable developer experience.

Is the architecture suitable for handling high traffic spikes?

Scalekit is built for production scale and can seamlessly handle significant traffic surges, such as those caused by marketing campaigns or newsletter driven login surges. The headless architecture ensures that authentication processing is decoupled from your main application logic, preventing bottlenecks during peak usage. By offloading token management and delivery to a specialized infrastructure layer, you ensure high availability and performance for your users. The system also maintains parity between staging and production environments, allowing engineering teams to test and deploy at scale with confidence, ensuring a consistent experience regardless of the user load.

How does modular auth benefit B2B application development?

For B2B applications, modular authentication provides the flexibility to meet diverse client security requirements without maintaining multiple custom codebases. Engineering teams can quickly toggle features like SSO, passwordless login, or MFA on a per customer basis using the same underlying infrastructure. This approach reduces the complexity of managing enterprise identity standards and accelerates time to market for new features. By using headless APIs, developers can integrate these enterprise grade security controls into their existing workflows, providing a seamless experience for corporate users while maintaining a clean and maintainable architecture that scales with the growth of the business.