[g_p]

Another good reason to avoid "passwordless" and magic links in email from https://news.ycombinator.com/item?id=31892299 is that some email clients or server stacks "click" on links, and perhaps even use their search crawlers to index sites they visit from the links.

That could result in private user content being indexed by the crawler if it's not configured correctly, or if it didn't realise this.

This also introduces another complication on figuring out whether the user clicked it twice, or whether one click was actually the email server provider doing some "scanning" by clicking all the private links in the email...

[miohtama]

HTTP GET is idempotent by the spec. If you login by visiting URL it is not according to the HTTP spec. You should any case have a button that says Login and does HTTP POST.