Hey quick question. I thought I read it somewhere, but in the passwordless recipe, do the one time tokens only work when used at the device that caused the email to be sent?

OTP, yes (since the originating device has device id and preauthsessionid stored in localstorage), magic link, no (since the link contains all the necessary information)

Interesting... Couldn't you local storage an extra token (in combination with the token that's in the link of course) and then validate both on the back-end?

what do you mean? Could you rephrase please?

Like as a thought exercise, trying to get magic links to be bound to the device that caused the sign-in. My solution would be to ask the back-end to send the email. Then have the back-end send an email and respond with an additonal token. The front-end could store this into local storage, so that when the link in the email is clicked, the front-end can send both the email and local storage tokens to the back-end to authenticate. Alternatively, maybe the back-end could set a cookie and also remember a redirect url. Then the email could open the url at the back-end server (which could be different from the website domain where the client lives). The back-end server can then check the email code and the cookie it set earlier to authenticate.

Exactly. That would just cause bad UX in many cases anyway. So no point.