SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

Hi there! This is not really an issue but I would like to understand if this is a known issue and if you already have an idea to work this out:

Our current authentication method is password with magic link. The applications using it are both Web and mobile. 
For mobile, I replace the magic link with an URI with the app protocol (app://verify), the issue is faced on Gmail. Gmail seems to block these types of URLs, Gmail buttons would only work if they are http/https.

What I'm planning to do then:
I expose an API endpoint taking as input the crypted URI, so the user when clicks the email gets redirect to this GET endpoint that redirect the user to there custom protocol URI.

I don't like this though, I don't love the user being redirect on the Web browser. 

Do you have any idea for this?

The solution you came up with is a good one. Most companies follow the same solution.

<@498057949541826571> I made this. I have a question for you though.
I obviously can't redirect users to a link containing a fragment (linkCode).
Hence I reformatted the link inserting the `linkCode` as a simple parameter.
Would you consider this less secure?

<@282621610073128962> for web, it would be less secure, but for mobile, its not a problem.