Magic-link auth

TTL on the token (we use 10 min). Single-use marker in DB. Token MUST include a code-challenge if part of an OAuth flow. SMTP sender reputation matters — use DKIM + SPF + a clean +tag policy. Brevo + Resend are popular providers.