[tomschlick]

Or just have your magic link include a "Confirm Login" button once it loads that sends a POST so automated clients don't cause issues.

[berkes]

... potentially enriched with JS that hides that button and does a POST for you on documentLoad or such.

That way, for a "normal human" it works like they expect, is technically correct, and doesn't trigger on backends fetching the resource. Unless they fetch the resource with some headless chrome or such. Which, unfortunately, is rather necessary these days.

[zinekeller]

> ... potentially enriched with JS that hides that button and does a POST for you on documentLoad or such.

Don't do this, most bots now actually load JavaScript.