This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.
This is just a proposal so far, it hasn't been accepted and needs further discussion.
We've decided we need to show user information on the passwordless sign in/up screen if it's not the same device/browser that started the sign in process. We need to decide where that information is coming from and how it's validated.
- Fetched from API by preAuthSessionId
- Embedded in the link - validated during consume
- Embedded in the link - validated in the FE
Our choice: Embedded in the link - validated during link consume
We could also force the FE to fetch this information (by changing the flow of link consumes), but that still doesn't ensure that this information is actually used for validation/shown to the user.
In this case we embed the contact info in the link which enables us to show the sign in screen but we can delay the consume (on the FE) until the validation info is fetched.