
How it goes
- Your app redirects the user to
/authorize. Agentcard shows the hosted screen with your app’s name and an email field. - The user enters their email and gets a magic link, valid for 15 minutes. The screen tells them to check their inbox.
- They click the link and land on the consent screen — in whichever tab or browser the link opens.
- They hit Authorize, and Agentcard redirects that tab to your
redirect_uriwith the authorizationcode. From here it’s the normal token exchange.
Good to know
- New users are created on the spot. Entering an email that has no Agentcard account yet creates one — users don’t need to sign up before connecting to your app.
- The callback can arrive from a different tab than the one that started the flow (the magic link opens wherever the user’s email client is). Keep your PKCE
code_verifierandstaterecoverable server-side rather than in tab-local state. - Expired link? The user just restarts from your Connect button — a fresh redirect to
/authorizesends a fresh link. - Consent is explicit. The authorization code is only minted after the user clicks Authorize on the consent screen — verifying the email alone grants nothing.