Behind the build: Building passwordless auth for developers

Founding Engineer

No items found.

A couple of months ago, we started rethinking authentication from the ground up.

What if auth could be secure, modern, and developer-friendly, freeing you from boilerplate code, heavy migrations, or disruptive architectural changes?

That question led us to headless, modular authentication, and to headless passwordless as one of its cleanest, most intuitive building blocks.

Why we built a passwordless module

Most teams hold on to traditional auth longer than they want to. Not because they think auth methods like passwords are perfect, but because overhauling an existing auth stack to make timely upgrades feels like open-heart surgery.

Switching to modern methods like passwordless or passkeys usually means multi-month projects, cross-team coordination, and significant risk. Too often, those projects stall because the cost in developer hours, migrations, and downtime is simply too high.

That is why we built our passwordless auth module to be headless and modular to give teams a timely upgrade when they want one.

Headless means you keep your UI and flows as they are while Scalekit handles login methods like Magic links or Email OTP behind the scenes.
Modular means you can add just what you need — start with passwordless today, and add passkeys or MFA later, without touching your core user architecture.

It gives teams a flexible head start. You can ship a secure, modern auth method in days instead of months, then iterate toward a fully modern stack at your own pace.

Three APIs. That’s it.

Scalekit integrates seamlessly with your existing identity setup — no migrations required. Whether your user data lives in Firebase, Supabase, Postgres, or a custom database, Scalekit simply adds a passwordless layer on top. It takes care of token lifecycles, email delivery, OTP fallbacks, and abuse prevention, all managed from a single, centralized dashboard. In practice, the entire flow boils down to just three secure, server-friendly API calls.Step 1: Send the first passwordless email.

Step 1: Send the first passwordless email

Our first prototype was dead simple:

Collect an email → send a magic link → verify → done.

curl -L '/api/v1/passwordless/email/send' \ -H 'Content-Type: application/json' \ -H 'Authorization: Bearer ' \ --data-raw '{ "email": "dev@example.com", "expires_in": 300, "state": "build-2025", "template": "SIGNIN", "magiclink_auth_uri": "https://yourapp.com/passwordless/verify" }'

‍

The response gives you a scoped auth_request_id, ready for verification.

No migrations. No refactoring. No drama.

Step 2: Verify the user

Once the user clicks their magic link or enters their code, you verify with one call:

curl -L '/api/v1/passwordless/email/verify' \ -H 'Content-Type: application/json' \ -H 'Authorization: Bearer ' \ --data-raw '{ "auth_request_id": "auth_1a2b3c", "code": "123456" }'

Step 3. Handling resends gracefully

Not every user nails it on the first try — emails get buried, links expire, codes get mistyped. That’s why we built a simple resend flow right into the API.

With one call, you can issue a fresh verification email — either with a new one-time code, a new magic link, or both (if you’ve enabled that option in your dashboard):

curl -L '/api/v1/passwordless/email/resend' \ -H 'Content-Type: application/json' \ -H 'Authorization: Bearer ' \ --data-raw '{ "auth_request_id": "auth_1a2b3c" }'

‍‍The response mirrors the original send, with updated expiration details and passwordless type.

Good to know:

Fresh credentials on resend: Enable this in the dashboard to rotate codes and links each time for extra security.
Rate limits: Max 2 emails per minute per user to prevent abuse.

This small addition made a huge difference in production — reducing support tickets and improving the overall login experience without adding complexity to the flow.

A few hundred milliseconds later, you have a signed session token, ready to power your app’s login flow.

Drag-and-drop, no refactor required

Because Scalekit is headless, adding passwordless feels like dropping in a new widget:

No breaking changes for existing users
No rewriting your front-end or API layer
No migrating stored credentials

Your users see a slick, modern login. You keep the same clean session API you already know.

Security from the start

We baked in security from day one:

Replay protection for magic links
Rate limits to prevent abuse
Session signing consistent across all modules

Secure defaults, without extra configuration.

Scaling in production

When we rolled passwordless into our own dashboard and internal tools, we saw:

Traffic spikes handled seamlessly during newsletter-driven login surges
Staging and production parity that made testing painless
Developer adoption across teams because setup took hours, not weeks

Headless, modular architecture made it easy to scale quickly without touching unrelated parts of the system.

What’s next

We are already building:

Passkey integration with the same modular APIs
MFA support with methods like mobile OTP
Improved observability for usage tracking and debugging

Passwordless is just the start. We are building toward auth as infrastructure — modular, flexible, and built to grow with your app.

On this page

Toc link here

Share this article