> ## Documentation Index
> Fetch the complete documentation index at: https://docs.authsignal.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Passwordless login

> Learn how to implement passwordless authentication flows using Authsignal actions.

Actions can be used to implement passwordless authentication, where Authsignal serves as the primary authentication method instead of traditional passwords. This approach eliminates password-related security risks while providing a smooth user experience.

## Passwordless login flow

In a passwordless flow, you track an action to initiate the authentication challenge directly, without validating a password first:

```mermaid theme={null}
sequenceDiagram
    participant F as Your frontend
    participant B as Your backend
    participant A as Authsignal
    F->>B: User identifier (e.g. email or username)
    Note over B: Lookup user in your DB or IdP
    B->>A: Track action
    A->>B: Pre-built UI URL
    B->>F: Pre-built UI URL
    Note left of F: User completes authentication<br />via Authsignal pre-built UI
    F->>B: Check result
    B->>A: Validate challenge
    A->>B: Challenge result
    Note over B: Create login session
```

### Implementation

1. **Look up the user** by their identifier (email, username) in your database or external identity provider
2. **Track the authentication action** for the identified user:

<CodeGroup>
  ```ts Node.js theme={null}
  const request = {
    userId: "dc58c6dc-a1fd-4a4f-8e2f-846636dd4833",
    action: "signIn",
    attributes: {
      redirectUrl: "https://yourapp.com/callback",
    },
  };

  const response = await authsignal.track(request);

  const url = response.url;
  ```

  ```csharp C# theme={null}
  var request = new TrackRequest(
      UserId: user.Id,
      Action: "signIn",
      Attributes: new TrackAttributes(
          RedirectUrl: "https://yourapp.com/callback"
      )
  );

  var response = await authsignal.Track(request);

  var url = response.Url;
  ```

  ```java Java theme={null}
  TrackRequest request = new TrackRequest();
  request.userId = "dc58c6dc-a1fd-4a4f-8e2f-846636dd4833";
  request.action = "signIn";
  request.attributes = new TrackAttributes();
  request.attributes.redirectUrl = "https://yourapp.com/callback";

  TrackResponse response = authsignal.track(request).get();

  String url = response.url;
  ```

  ```ruby Ruby theme={null}
  response = Authsignal.track({
    user_id: "dc58c6dc-a1fd-4a4f-8e2f-846636dd4833",
    action: "signIn",
    attributes: {
      redirect_url: "https://yourapp.com/callback",
    }
  })

  url = response[:url]
  ```

  ```python Python theme={null}
  response = authsignal.track(
      user_id="dc58c6dc-a1fd-4a4f-8e2f-846636dd4833",
      action="signIn",
      attributes={
          "redirectUrl": "https://yourapp.com/callback"
      }
  )

  url = response["url"]
  ```

  ```php PHP theme={null}
  $response = Authsignal::track([
      'userId' => "dc58c6dc-a1fd-4a4f-8e2f-846636dd4833",
      'action' => "signIn",
      'attributes' => [
          'redirectUrl' => "https://yourapp.com/callback"
      ]
  ]);

  $url = $response["url"]
  ```

  ```go Go theme={null}
  response, err := client.Track(
      TrackRequest{
          UserId: "dc58c6dc-a1fd-4a4f-8e2f-846636dd4833",
          Action: "signIn",
          Attributes: &TrackAttributes{
              RedirectUrl: "https://yourapp.com/callback",
          },
      },
  )

  url := response.Url
  ```
</CodeGroup>

3. **Handle the response** based on the action state:
   * If `CHALLENGE_REQUIRED`: Present the authentication challenge
   * If `ALLOW`: Complete the login (user may have been auto-authenticated)
   * If `BLOCK`: Deny access
   * If `REVIEW`: Review the challenge

4. **Follow the standard integration steps** covered in [actions getting started](/actions-rules/actions/getting-started#2-challenging-the-user) to launch the challenge URL and validate the result

## Combining passwordless with rules

You can combine rules with actions to create passwordless flows:

### Progressive authentication

* **Low risk**: Email magic link
* **Medium risk**: Email OTP or SMS
* **High risk**: Passkey authentication

### Context-aware authentication

* **Known devices**: Auto-allow or simple OTP
* **New devices**: Require passkey or stronger authentication
* **Suspicious activity**: Block or require multiple factors
