Passwordless login looks wonderfully simple in a product demo. A user enters an email, a magic link arrives, and the session starts. In staging, though, that flow can get noisy fast when links land in shared inboxes, old aliases, or a tempail somebody forgot to clean up.

That is why I like treating passwordless auth as one end-to-end system. The JavaScript client, the Node.js backend, the email delivery step, and the final session assertion all need to pass together. If you skip the inbox part, you can still ship a flow that feels broken even when the API tests are green.

Why passwordless flows break in staging

The common mistake is assuming magic-link auth is lighter than signup, so the test plan can be lighter too. It usually cannot. Passwordless paths fail in a few very normal ways:

the backend sends two links after a retry