exposedev · mpociot · Jan 23, 2026 · Jan 23, 2026 · Jan 23, 2026 · Jan 23, 2026
diff --git a/app/Client.php b/app/Client.php
@@ -147,11 +147,18 @@ public function connectToServer(string $sharedUrl, $subdomain, $serverHost = nul
 
                     $this->closingMessage = $data->closing_message ?? null;
 
-                    $this->logger->renderConnectionTable([
+                    $connectionInfo = [
                         "Shared site" => $sharedUrl,
                         "Dashboard" => "http://127.0.0.1:".config()->get('expose.dashboard_port'),
                         "Public URL" => "https://{$data->subdomain}.{$host}",
-                    ]);
+                    ];
+
+                    if ($this->configuration->magicAuth() !== null) {
+                        $patterns = $this->configuration->getAllowedMagicAuthPatterns();
+                        $connectionInfo["Magic Auth"] = empty($patterns) ? "Enabled (any email)" : "Enabled (" . implode(', ', $patterns) . ")";
+                    }
+
+                    $this->logger->renderConnectionTable($connectionInfo);
                     $this->logger->line('');
 
                     static::$subdomains[] = "{$httpProtocol}://{$data->subdomain}.{$host}";

diff --git a/app/Commands/ShareCommand.php b/app/Commands/ShareCommand.php
@@ -27,7 +27,7 @@ class ShareCommand extends ServerAwareCommand
     use SharesViteServer;
     use TriggersLogin;
 
-    protected $signature = 'share {host} {--subdomain=} {--auth=} {--basicAuth=} {--dns=} {--domain=} {--prevent-cors} {--no-vite-detection} {--qr} {--qr-code}';
+    protected $signature = 'share {host} {--subdomain=} {--auth=} {--basicAuth=} {--magic-auth=} {--dns=} {--domain=} {--prevent-cors} {--no-vite-detection} {--qr} {--qr-code}';
 
     protected $description = 'Share a local url with a remote expose server';
 
@@ -50,6 +50,11 @@ public function handle()
 
         info("Using basic auth: ". $this->option('basicAuth'), options: OutputInterface::VERBOSITY_VERBOSE);
 
+        if ($this->getMagicAuthValue() !== null) {
+            $magicAuthPatterns = $this->getMagicAuthValue() ?: 'any email';
+            info("Using magic auth: ". $magicAuthPatterns, options: OutputInterface::VERBOSITY_VERBOSE);
+        }
+
         if (strstr($this->argument('host'), 'host.docker.internal')) {
             config(['expose.dns' => true]);
         }
@@ -108,6 +113,7 @@ public function handle()
             ->setPort($this->getServerPort())
             ->setAuth($auth)
             ->setBasicAuth($this->option('basicAuth'))
+            ->setMagicAuth($this->getMagicAuthValue())
             ->setPreventCORS($this->option('prevent-cors'))
             ->createClient()
             ->share(
@@ -188,4 +194,13 @@ protected function isWindows(): bool
 
         return $this->isWindows;
     }
+
+    protected function getMagicAuthValue(): ?string
+    {
+        if (!$this->input->hasParameterOption('--magic-auth')) {
+            return null;
+        }
+
+        return $this->option('magic-auth') ?? '';
+    }
 }
diff --git a/app/Commands/ShareCurrentWorkingDirectoryCommand.php b/app/Commands/ShareCurrentWorkingDirectoryCommand.php
@@ -15,7 +15,7 @@ class ShareCurrentWorkingDirectoryCommand extends ShareCommand
     use SharesViteServer;
     use DetectsLocalDevelopmentSites;
 
-    protected $signature = 'share-cwd {host?} {--subdomain=} {--auth=} {--basicAuth=} {--dns=} {--domain=} {--prevent-cors} {--no-vite-detection} {--qr} {--qr-code}';
+    protected $signature = 'share-cwd {host?} {--subdomain=} {--auth=} {--basicAuth=} {--magic-auth=} {--dns=} {--domain=} {--prevent-cors} {--no-vite-detection} {--qr} {--qr-code}';
 
     public function handle()
     {

diff --git a/app/Configuration.php b/app/Configuration.php
@@ -2,6 +2,8 @@
 
 namespace Expose\Client;
 
+use Illuminate\Support\Str;
+
 class Configuration
 {
     /** @var string */
@@ -19,13 +21,16 @@ class Configuration
     /** @var string|null */
     protected $basicAuth;
 
+    /** @var string|null */
+    protected $magicAuth;
+
     /** @var bool */
     protected $isSecureSharedUrl = false;
 
     /** @var bool */
     protected $preventCORS = false;
 
-    public function __construct(string $host, int $port, ?string $auth = null, ?string $basicAuth = null, bool $preventCORS = false)
+    public function __construct(string $host, int $port, ?string $auth = null, ?string $basicAuth = null, bool $preventCORS = false, ?string $magicAuth = null)
     {
         $this->serverHost = $this->host = $host;
 
@@ -35,7 +40,13 @@ public function __construct(string $host, int $port, ?string $auth = null, ?stri
 
         $this->basicAuth = $basicAuth;
 
+        $this->magicAuth = $magicAuth;
+
         $this->preventCORS = $preventCORS;
+
+        if ($this->magicAuth !== null) {
+            config(['expose.magic-auth-secret-key' => Str::random(32)]);
+        }
     }
 
     public function host(): string
@@ -63,6 +74,20 @@ public function basicAuth(): ?string
         return $this->basicAuth;
     }
 
+    public function magicAuth(): ?string
+    {
+        return $this->magicAuth;
+    }
+
+    public function getAllowedMagicAuthPatterns(): array
+    {
+        if (is_null($this->magicAuth) || $this->magicAuth === '') {
+            return [];
+        }
+
+        return array_filter(array_map('trim', explode(',', $this->magicAuth)));
+    }
+
     public function preventCORS(): bool
     {
         return $this->preventCORS;

diff --git a/app/Factory.php b/app/Factory.php
@@ -40,6 +40,9 @@ class Factory
     /** @var string */
     protected $basicAuth;
 
+    /** @var string|null */
+    protected $magicAuth;
+
     /** @var bool */
     protected $preventCORS = false;
 
@@ -86,6 +89,13 @@ public function setBasicAuth(?string $basicAuth)
         return $this;
     }
 
+    public function setMagicAuth(?string $magicAuth)
+    {
+        $this->magicAuth = $magicAuth;
+
+        return $this;
+    }
+
     public function setPreventCORS(bool $preventCORS)
     {
         $this->preventCORS = $preventCORS;
@@ -103,7 +113,7 @@ public function setLoop(LoopInterface $loop)
     protected function bindConfiguration()
     {
         app()->singleton(Configuration::class, function ($app) {
-            return new Configuration($this->host, $this->port, $this->auth, $this->basicAuth, $this->preventCORS);
+            return new Configuration($this->host, $this->port, $this->auth, $this->basicAuth, $this->preventCORS, $this->magicAuth);
         });
     }
 

diff --git a/app/Http/HttpClient.php b/app/Http/HttpClient.php
@@ -4,6 +4,7 @@
 
 use Expose\Client\Configuration;
 use Expose\Client\Http\Modifiers\CheckBasicAuthentication;
+use Expose\Client\Http\Modifiers\CheckMagicAuthentication;
 use Expose\Client\Logger\RequestLogger;
 use GuzzleHttp\Psr7\Message;
 use Laminas\Http\Request;
@@ -32,7 +33,9 @@ class HttpClient
     /** @var array */
     protected $modifiers = [
         CheckBasicAuthentication::class,
+        CheckMagicAuthentication::class,
     ];
+
     /** @var Configuration */
     protected $configuration;