Ctrlk
Changelog NotificationsAPIAikido login

Handling Email Verification & Magic Links

Aikido provides a hosted email inbox to allow the AI Pentest agent to navigate authentication flows that require email interaction.

Use this feature if your application requires:

  • Magic Links: Passwordless login via email links.

  • Email MFA: Two-factor authentication where a code is sent to the inbox.

  • Account Verification: New users must verify their email before logging in.

If your app uses authenticator apps, use TOTP setup.

If your app uses SMS codes, use SMS Verification.

How it works

You generate a unique @auto-pentest.com email address within Aikido. This address acts as a bridge:

  1. You use it to create and verify a valid user account in your application.

  2. The Agent monitors this inbox during scans to retrieve login codes or click magic links in real-time.

Setup Guide

1

Let Aikido create the Email Address

In the Authentication Set modal:

  1. Scroll to the Email Inbox section.

  2. Click + Generate Email Address.

  3. Copy the address (e.g., [email protected]).

2

Create the Test User in your application

Go to your application and sign up a new user using the address you just created.

3

Verify the Account (if required)

If your app sends a "Confirm your email" link upon signup:

  1. Return to the Aikido modal.

  2. Click the Open Inbox icon (or click the email address itself).

  3. You will see the confirmation email from your app.

  4. Open it and click the confirmation link/button to activate the user.

4

Update Login Logic in Aikido

You must explicitly tell the agent to check this inbox in the Login Logic text area.

Example Instruction for Magic Links:

1. Navigate to https://app.example.com/login
2. Enter email: [insert the created email here]
3. Click "Send Magic Link"
4. Check the inbox for the login email and click the link inside.

Example Instruction for Email MFA:

1. Navigate to https://app.example.com/login
2. Enter username and password.
3. When prompted for the code, check the inbox.
4. Extract the 6-digit code from the latest email.
5. Enter the code into the verification field and submit.
5

Test the Configuration

Finally, verify that the agent can interpret your instructions:

  1. Click Save & Test.

  2. The agent will launch a browser session and attempt to log in using the credentials and inbox instructions.

  3. If successful, you will see a confirmation that the agent authenticated and reached the post-login state.

Last updated

Was this helpful?