Why Magic Login Links in Bubble.io Can Be More Trouble Than They’re Worth
Magic Login Links were introduced in Bubble.io in 2021 as a way to streamline user authentication—eliminating passwords and email confirmations for faster access. However, after testing them extensively for our AI-powered learning academy, I encountered several frustrating bugs that made them more trouble than they’re worth.
The Problem with Outlook and Safe Links
One of the biggest issues with Magic Links is how they interact with Microsoft Outlook’s Safe Links feature. This security measure scans email links before the recipient opens them, essentially clicking the Magic Link before the user sees it. The result?
- The link expires before the user can use it, rendering it useless.
- The user is forced to request another login link, leading to frustration.
- For corporate email users, Magic Links may never work properly at all.
Other platforms, like Ghost (a blogging CMS), have identified and resolved this issue. However, despite multiple reports from Bubble users, the bug remains unresolved.
Unexpected Domain Issues with Backend API Triggers
Another major problem arises when triggering a Magic Link through a backend workflow without authentication:
- The Magic Link email replaces the custom domain with Bubble’s temporary domain (e.g., yourapp.bubbleapps.io instead of yourapp.com).
- Users clicking the link may be redirected to the wrong version of the app.
- The workaround—manually replacing the incorrect domain—is inefficient and error-prone.
Why I Switched Back to Password Authentication
Originally, I chose Magic Links to simplify authentication, but these bugs forced me to rethink the approach. Switching back to a traditional email/password login with email confirmation ultimately proved more reliable.
While Magic Links may still work well for small apps without corporate users, I wouldn’t recommend them for:
- Apps targeting business users who rely on Microsoft Exchange or Outlook.
- Scenarios where external API triggers send login links.
- Any app requiring high-reliability authentication.
Looking Ahead: Will Bubble Fix Magic Links?
Bubble has yet to address these long-standing Magic Link issues, despite multiple forum reports. A simple fix—excluding Outlook bot clicks from expiring login links—could make a huge difference.
Until then, developers should weigh the risks carefully and consider using password authentication or passkeys for a more stable login experience.