Why is there no password?

Passwords are the highest-frequency credential-leak vector in email and rotate manually. Magic-link auth (a fifteen-minute, single-use token sent to your address) replaces the password without losing the ownership proof — only the person reading the email can complete sign-in.

What happens if I lose access to my sign-in address?

Add a second sign-in identity in /app/security before you need it. The second identity is independent — if the first mailbox is unreachable, you sign in via the second.

Is my mail encrypted at rest?

Yes. Raw messages are stored in Amazon S3 and the reading index in DynamoDB, both encrypted at rest. DKIM private keys are additionally Fernet-encrypted at the application layer before being written to the database.

Do you support TLS-only inbound mail?

Yes. Haraka, our inbound MTA, is configured with MTA-STS so senders that publish a policy are required to use TLS. Outbound through Amazon SES is TLS-required at the SES side.

Magic-link sign-in

Folio uses magic-link authentication — no password to leak or phish. Sign-in requests a single-use link valid for fifteen minutes, scoped to the address you typed. At-rest data is encrypted in Amazon S3 and DynamoDB; in-transit traffic is TLS-only (Haraka MTA-STS for inbound, SES TLS-required for outbound). Per-domain DKIM private keys are Fernet-encrypted in the database.

No password to remember, lose, or share. A one-time link to the address you already check.

Apr 2026· Updated 2026-05-11·3 min read

We chose passwordless sign-in for two reasons. One: passwords are the single most common credential to leak, and the most common reason accounts are compromised. Two: the address you're reading this mail at is already proof that you control it — asking for a password on top is a formality.

§ The token

Validity: 15 minutes from the moment it leaves our servers.
Use count: Single-use. Once clicked, the token is marked spent and rejected on reuse.
Storage: Hashed at rest; the raw token never touches our database.
Transport: TLS 1.3 in flight, DKIM-signed in transit.

§ The session

Clicking the link mints a JWT session valid for thirty days. It rides in an HttpOnly; Secure; SameSite=Lax cookie, so JavaScript in the page cannot read it and the browser will refuse to send it cross-site. Sign out from the sidebar footer at any time to invalidate it immediately.

§ Revocation

If you suspect your session has been taken — an unfamiliar location, an unfamiliar device — the Sign out everywhere action on /security rotates your session key server-side. Every issued JWT, on every device, is instantly invalid. Sign back in the usual way; old links won't let anyone else back.

§ Common questions

Why is there no password?: Passwords are the highest-frequency credential-leak vector in email and rotate manually. Magic-link auth (a fifteen-minute, single-use token sent to your address) replaces the password without losing the ownership proof — only the person reading the email can complete sign-in.
What happens if I lose access to my sign-in address?: Add a second sign-in identity in /app/security before you need it. The second identity is independent — if the first mailbox is unreachable, you sign in via the second.
Is my mail encrypted at rest?: Yes. Raw messages are stored in Amazon S3 and the reading index in DynamoDB, both encrypted at rest. DKIM private keys are additionally Fernet-encrypted at the application layer before being written to the database.
Do you support TLS-only inbound mail?: Yes. Haraka, our inbound MTA, is configured with MTA-STS so senders that publish a policy are required to use TLS. Outbound through Amazon SES is TLS-required at the SES side.