Email Auto Login
This guide explains how the CMS’s email-based auto-login system works, and how you can implement it in your own frontend to personalize the user experience after email engagement.
Overview
Section titled “Overview”When a customer clicks a tracked link from a newsletter or marketing email, the CMS performs the following:
- Link Validation: The CMS verifies the tracking link and authenticates the user.
- Token Issuance: A token with
scope=limitedis issued. - Redirection: The user is redirected to your website with two query parameters:
token: The limited scope tokenurl: The final destination to redirect the user to
This enables automatic soft-login (without credentials), allowing you to personalize the customer experience without giving access to secure areas like account settings or payment pages.
Token Scope
Section titled “Token Scope”The auto-login token has a restricted scope=limited, meaning:
- It does not grant full account access
- It is long-lived but not guaranteed beyond 200 days
- It is used for identification and personalization only
- Not all Customer-related API calls are available. You can only do a GET customer profile request for now, and the response will exclude private information.
Implementation
Section titled “Implementation”Implementation is done in two parts:
1. Frontend
Section titled “1. Frontend”You need to build a public-facing endpoint to accept the login token, set a cookie, and redirect to the destination page.
We recommend using a Cloudflare Worker or similar edge function to minimize server load.
Example URL:
Section titled “Example URL:”https://www.mydomain.com/email-linkExpected Query Parameters:
Section titled “Expected Query Parameters:”token– the soft-login token issued by the CMSurl– the destination URL the user should be taken to
Cloudflare Worker Logic
Section titled “Cloudflare Worker Logic”You can implement this behavior outside of your app logic by using the below example code. Simply create a new Cloudflare Worker and use the below code. You do not need to make any changes.
addEventListener('fetch', event => { event.respondWith(handleRequest(event.request))})
async function handleRequest(request) { const url = new URL(request.url) const token = url.searchParams.get('token') const destination = url.searchParams.get('url')
if (!token || !destination) { return new Response('Missing token or destination URL', { status: 400 }) }
// Check if user is already logged in (custom logic may vary) const cookies = request.headers.get('Cookie') || '' if (cookies.includes('Token=')) { return Response.redirect(destination, 302) }
// Set soft-login cookie (adjust domain/path as needed) const response = Response.redirect(destination, 302) response.headers.append('Set-Cookie', `Token=${token}; Path=/; Secure; HttpOnly; Max-Age=2592000`) return response}2. Backend
Section titled “2. Backend”To enable auto-login, you must configure the CMS to know where to redirect users with their soft-login token.
Steps:
Section titled “Steps:”- Go to Administration > Revenue Configuration
- Locate the field: Auto-Login Redirect URL
- Insert your frontend login handler URL:
https://www.mydomain.com/email-linkThe CMS will append query parameters like so:
https://www.mydomain.com/email-link?token=<token>&url=<final-url>- Tokens are tied to a single user and validated server-side before issuance.
- Tokens cannot be used for secure operations.
- If a user logs in manually, your site should replace the soft token with a full-access token/cookie.
- Certain API calls will respond with HTTP 401 Unauthorized if you try to access them with a limited scope token. In this case, you should present the user with a login form.