From dfe8bc6d5367202bf3dffd39a8947fa1f9d9670d Mon Sep 17 00:00:00 2001
From: Damodar Lohani <dlohani48@gmail.com>
Date: Tue, 31 Aug 2021 13:11:36 +0545
Subject: [PATCH] docs for magic urls

---
 docs/references/account/create-magic-url-session.md | 1 +
 docs/references/account/update-magic-url-session.md | 3 +++
 2 files changed, 4 insertions(+)
 create mode 100644 docs/references/account/create-magic-url-session.md
 create mode 100644 docs/references/account/update-magic-url-session.md

diff --git a/docs/references/account/create-magic-url-session.md b/docs/references/account/create-magic-url-session.md
new file mode 100644
index 000000000..83b1534c7
--- /dev/null
+++ b/docs/references/account/create-magic-url-session.md
@@ -0,0 +1 @@
+Sends the user an email with a secret key for login. When the user clicks the link he is redirected back to the URL you provided with the secret key and userId values attached to the URL query string. Use the query string params to submit a request to the [PUT /account/sessions/magic-url](/docs/client/account#accountUpdateMagicURLSession) endpoint to complete the login process. The login link sent to the user's email address is valid for 1 hour. If you are on mobile devices you can leave the URL parameter empty, so that the login completion will be handled by your Appwrite instance by default.
\ No newline at end of file
diff --git a/docs/references/account/update-magic-url-session.md b/docs/references/account/update-magic-url-session.md
new file mode 100644
index 000000000..5bf610d86
--- /dev/null
+++ b/docs/references/account/update-magic-url-session.md
@@ -0,0 +1,3 @@
+Use this endpoint to complete session creation with magic URL. Both the **userId** and **secret** arguments will be passed as query parameters to the redirect URL you have provided when sending your request to the [POST /account/sessions/magic-url](/docs/client/account#accountCreateMagicURLSession) endpoint.
+
+Please note that in order to avoid a [Redirect Attack](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.md) the only valid redirect URLs are the ones from domains you have set when adding your platforms in the console interface.
\ No newline at end of file