Fix: magic-link tokens occasionally rejected on first click
Race condition in token storage caused some magic links to fail on the first attempt.
Affected routes
/portal Built on tools you trust
← swipe · 12 tools →
What broke
Some magic-link sign-ins were failing on the first click and only working on a manual page reload. The token was valid, but the session cookie wasn't being set in time.
Root cause
A race between the cookie write and the redirect — the redirect was firing before the Set-Cookie header committed in some edge runtimes.
Fix
Switched the redirect to a 303 with explicit Cache-Control: no-store, and moved the cookie write into a synchronous step before the redirect Response is returned.
Lessons
This is the kind of bug that only shows up when the system is under real (not test) load. Worth investing in load tests for the auth path.
See the full changelog
Or peek at what we’re building next on the roadmap.