Magic Links & Access
How borrower magic links work, how long they last, and how to resend them.
BorrowerDocs uses magic links to give borrowers access to their portal — no account, no password, no app. A magic link is a secure URL that authenticates the borrower automatically when clicked.
How magic links work
When you send a portal invitation, BorrowerDocs generates a signed JWT token and embeds it in the link. When your borrower clicks it, the token is verified and a session is created in their browser. The token contains:
- Which loan file they're accessing
- Which contact (borrower or co-borrower) they are
- When the token expires
All of this happens invisibly. From the borrower's perspective, they just click a link and they're in.
Link expiry
Magic links expire 7 days after they're sent. If a borrower clicks an expired link, they see an error page:
"Your session has expired or the link is no longer valid. Please contact your broker to get a new link."
To give them access again, resend a fresh link from the loan file (see below).
Session duration
Once a borrower has clicked their link and accessed the portal, their session is stored as a browser cookie that lasts 30 days. During this window:
- They can return to the portal without needing a new link
- Closing and reopening their browser doesn't sign them out
- Switching between devices does require a new link (sessions are device-specific)
After 30 days of inactivity, the session expires and they'll need a new link to get back in.
Resending a link
To send a fresh magic link:
- Open the loan file
- Click Send Portal Link
- Select the recipient (borrower or co-borrower)
- Click Send
A new link is generated and emailed immediately. The old link (if it hasn't expired yet) continues to work — sending a new link doesn't invalidate the previous one.
Error pages
If something goes wrong with a link, borrowers see a specific error message:
| Situation | Error shown |
|---|---|
| Link is older than 7 days | "Your session has expired or the link is no longer valid." |
| Link was tampered with | "This link is invalid or has already been used." |
| Link is missing the token | "No access token was provided in this link." |
| File has been closed | "This loan file is no longer active." |
All error pages end with: "Please contact your broker to get a new link."
Security
Magic links are signed using a private secret key — they cannot be guessed or forged. Each link is scoped to a specific contact and loan file, so a borrower's link cannot be used to access a different file.
The links do not expire on use (unlike one-time-use links), which means a borrower can click the same link multiple times within the 7-day window. After first use, the 30-day session cookie takes over for return visits.
Co-borrower access
Each borrower and co-borrower gets their own link. The links provide access to the same portal view — both borrowers see the same checklist and shared chat threads. There is no separate portal per borrower; the portal is per loan file.
Closed files
When you close a loan file, the borrower's portal session is revoked. Any attempt to access the portal after closing shows:
"This loan file is no longer active."
Next steps
- How the Portal Works — full walkthrough of the borrower experience
- Inviting Your First Borrower — sending the initial link
Ready to get started?
Try using BorrowerDocs to send a borrower portal, collect secure uploads, and track document status in one place.
Start for Free