Help / Workflows / Investor / Magic Link Access

Magic Link Access Workflow

Approved investors receive a one-time magic link via email for secure, passwordless access to the investor portal. The link contains a cryptographic token that is validated server-side before granting a session.

Email Received Click Magic Link Token Validated Valid? Session Created JWT ISSUED Expired / Invalid PORTAL Yes No MAGIC LINK LIFECYCLE Generated Emailed Clicked Validated Session Active Expired

Step-by-Step Guide

  1. Email Received

    After an admin approves the investor registration, the system generates a one-time magic link and sends it to the investor's verified email address. The email contains the secure link and an expiration notice (typically 24 hours).

  2. Click Magic Link

    The investor clicks the magic link in their email client. The browser navigates to the TubeRaker authentication endpoint with the cryptographic token embedded in the URL query string.

  3. Token Validated

    The server extracts the token and validates it against the database: checks the token exists, has not been previously used, has not expired, and maps to an approved investor record.

  4. Valid? -- Decision Point

    If the token passes all validation checks, the flow proceeds to session creation. If the token is expired, already used, or does not match any record, the investor sees an error page with instructions to request a new link.

  5. Session Created / Expired-Invalid

    On success, the server issues a JWT (JSON Web Token) encoding the investor's identity and access tier, then sets it as an HTTP-only cookie. On failure, the token is marked invalid and the investor is directed to contact the admin for a fresh link.

  6. Portal Access Granted

    With a valid session, the investor is redirected to the investor portal where they can access tier-gated content: pitch decks, business plans, financial projections, and other investor-only materials.