Parsley Pay uses passwordless authentication — there's no password to create, remember, or reset. Instead, we send you a magic link by email every time you sign in.
The magic link expires after 15 minutes. If it expires before you use it, simply request a new one from the login page.
When you request a magic link, we generate a cryptographically random token and store a SHA-256 hash of it in our database (not the token itself). The plain token is embedded in the link and sent to your email. When you click the link, we hash the token you provided and compare it to the stored hash. If they match and the token hasn't expired or been used, you're signed in.
Once used, the token is immediately invalidated — it can't be used again. This means even if someone intercepts the email after you've signed in, the link will no longer work.
After signing in, a session token is stored in your browser's local storage. This keeps you signed in so you don't have to request a magic link on every visit. You can sign out at any time from the account menu, which removes the session token from your browser.
If you don't see the email within a minute or two, check your spam or junk folder. Magic link emails come from noreply@parsleypay.com.
If it's still not there, try requesting a new link from the login page. If problems persist, contact us at support@parsleypay.com.
Magic links are as secure as your email account. Since email is already used for password resets on most sites, passwordless authentication doesn't introduce new risks — it just removes the weakest link (reused or guessable passwords) from the equation. We recommend using an email provider with two-factor authentication enabled.