Magic Link Already Used
magic_link_already_used401
This magic link was already consumed. Each link is single-use — request a fresh one.
What this means
The magic link token in the request was valid and we recognize it, but it was already used to complete a sign-in. Magic links are one-time tokens by design: once consumed, they can't be reused. The first sign-in succeeded; subsequent attempts with the same link get this error.
When you'll see this
- The user clicked the magic link, was signed in, then clicked the same link again (e.g. from another device or another browser).
- A user clicked the link in their email, then later clicked the same link from a bookmark or browser history.
- An email security scanner prefetched the link, consumed it, then the user clicked it after the prefetch.
- A user has multiple devices open and the magic link was consumed on one before they clicked from another.
Learn more about how this works
Single-use is fundamental to magic-link security. If a link could be replayed, anyone with access to the email (intentionally or via a leak) could sign in indefinitely. By making each link one-shot, we reduce the credential lifetime to a single click.
In practice: this error usually means the user is already signed in elsewhere or just signed in moments ago. The fix is rarely "click the link again"; it's "request a fresh link" or "use your active session."
Example response
{
"success": false,
"error": "magic_link_already_used",
"message": "This magic link has already been used.",
"details": [],
"retry_after": null,
"doc_url": "https://docs.asterwise.com/reference/errors/magic_link_already_used",
"request_id": "req_01HXYZABCDEFGH",
"timestamp": "2026-05-25T12:34:56Z"
}
- If you're already signed in on another device or browser tab, use that session — you don't need a fresh link.
- If you need to sign in fresh, go to asterwise.com/signin and request a new magic link.
- If a security scanner is consuming links before you see them, ask your IT team to allowlist Asterwise's magic-link URLs.
UI-layer handling, same shape as magic_link_not_found.
Python:
Production handler
- Python
- TypeScript
import httpx
def verify_magic_link(token, base_url, headers):
response = httpx.post(
f"{base_url}/v1/auth/verify",
headers=headers,
json={"token": token},
timeout=10,
)
if response.status_code == 401:
body = response.json()
if body.get("error") == "magic_link_already_used":
return {
"ok": False,
"user_message": (
"This sign-in link was already used. "
"If you're already signed in elsewhere, use that session. "
"Otherwise, request a fresh link."
),
}
response.raise_for_status()
return {"ok": True, "data": response.json()}
async function verifyMagicLink(
token: string,
baseUrl: string,
headers: HeadersInit,
) {
const response = await fetch(`${baseUrl}/v1/auth/verify`, {
method: "POST",
headers,
body: JSON.stringify({ token }),
});
if (response.status === 401) {
const body = await response.json();
if (body.error === "magic_link_already_used") {
return {
ok: false,
userMessage:
"This sign-in link was already used. " +
"If you're already signed in elsewhere, use that session. " +
"Otherwise, request a fresh link.",
};
}
}
if (!response.ok) throw new Error(`HTTP ${response.status}`);
return { ok: true, data: await response.json() };
}
Avoid this error by
- After successful sign-in, redirect the user to the dashboard immediately so they don't have time to re-click the link.
- Don't store magic-link URLs in browser history that the user can re-trigger. Use the URL once and discard.
- For org email environments with link-prefetching, request allowlisting so scanners don't consume links before users see them.
- Communicate the single-use semantic in your sign-in UI ("This link can only be used once") so users aren't confused on repeat attempts.