auth.token_used
The magic-link token has already been consumed and cannot be used a second time.
auth.token_used is returned when the magic-link token has already been redeemed. Magic-link tokens are single-use: once consumed to establish a session they are invalidated immediately to prevent replay attacks.
The user clicked the magic-link a second time after already signing in, or an intermediate proxy or email client pre-fetched the URL before the user clicked it.
Request a new magic-link. If pre-fetching by email clients is a recurring issue, consider adding a confirmation step before consuming the token.
{
"error": {
"code": "auth.token_used",
"message": "magic-link token already used",
"request_id": "req_01900000abc"
}
}