This was happening yesterday, and with no code changes whatsoever it was not happening this morning.
Now it’s happening again so I can’t proceed with testing. I’ve read about including “session_duration_minutes” which I’ve always done and I’ve both debugged through to verify that it’s correct (480) and also checking in Chrome Developer Options.
I’ve been testing creating new users, but I create and delete the same one. I’ve also tried a new one but once it gets to this state, I only get empty session_jwt cookies.
Hey Richard – thanks for posting!
Would you mind sharing a request_id (which is not a sensitive value) for one of your requests that resulted in an empty session_jwt? Are you seeing an empty session_jwt in the response body itself, or just in the browser cookies?
Both are empty:
request-id-test-d8b2ca52-11e6-4250-a802-07a6514e071e
Thanks!
It looks like that request resulted in a 401 / unauthorized_credentials error, which indicates that the user’s session is no longer valid. We will not return the session_token or session_jwt when this occurs, and our SDK clears the session cookies.
It looks like this particular session was revoked at 2025-10-21T16:28:51 UTC, which is why it was no longer valid. In this case, it looks like the session was revoked because the Stytch User that it belonged to was deleted.
Yes, but I can never create the user again because this:
const response = await this.stytch.passwords.create({
email,
password,
session_duration_minutes: appConfig.SESSION_DURATION_MINUTES,
});
Now always returns an empty session_jwk. So it’s on the “create” that’s failing.
And once that happens, I can’t seem to create any users. It seems to be for one test site. So we have another test site running on a different server with the same stytch credentials that still works. It’s like if you create and delete a user after a certain limit it just won’t give you a valid session_jwk.
On a hunch, I just opened an Incognito tab and tried and now I’m getting the session_jwt. No change in the code.
I had previously tried clearing all browser cookies, but that didn;t make a difference.
Now I’m attempting to send a login magic link using this to the API:
stytch_payload = {
“email”: email,
“login_magic_link_url”: f’{self.mainspringWebHost}/verify-email’,
“login_expiration_minutes”: 30,
“session_jwt”: response[‘session_jwt’]
}
But I’m getting this response in the activity log:
There are no signup redirect URLs registered. To set signup redirect URLs for this project please visit Stytch - User infrastructure + passwordless authentication . For more information on why this validation is necessary please visit URL Validation - Stytch API .
This is true, I don’t have “signup” checked for any redirect URLs, I only have “Login” checked. So I don’t understand the error.
Hey Richard,
Thanks for your reply!
Regarding the initial issue with an empty session_jwt, if it’s working in an incognito window then the issue is likely something on your browser blocking the cookie from being set (e.g. a browser extension). Stytch’s JS SDKs will attempt to set the session cookies automatically; more on this here: Cookies & session management | Stytch JavaScript SDK
With regards to the no_signup_redirect_url error when sending an Email Magic Link, just to confirm, when testing this are you passing in an email belonging to an existing active User in your Project, along with a session_jwt associated with an active Session for that User? It looks like you’re signing up and deleting the User with the same email multiple times - does the error still occur when the email and session JWT passed in are for the same exact active User? Otherwise, it might be treating it as a new User and thus going through the signup flow instead (where it’ll error if no default signup redirect URL is set or passed into the call).
I’ve actually gotten it working, BUT, there doesn’t seem to be a way to avoid the user needing to reset their password, which sort of defeats my purpose. My goal is to send one email after registration with my app to verify their email address.
I initially was using email/send to send a magic link, but that required a password reset.
I changed it to login (and signup), also requires the user to reset their password. All I really want is to check that the redirect with the token is valid, which is working fine. I just can’t get by the “password reset” required.
BTW, a big issue with the docs is that they don’t specifically say which attributes are required for a call. For example, the magic link (email/send) requires the session_jwt. Without it it won’t work.
Login and Signup won’t work if the session_jwt is included.
I guess this is implied, but it seems like it should be explicit exactly what is required for each type.
Thanks for your reply - glad to hear you have it working!
Just to clarify regarding your use case, are you trying to perform email verification before having a user set their password, or after?
We require password resets whenever an active User has a password, and you attempt to add an email address to that User. If a session_jwt is not passed in the send magic link call, we’ll enforce a reset for security reasons (to prevent an account takeover).
These guides may help to reference, depending on the flow you’d like to implement in your app:
https://stytch.com/docs/guides/passwords/email-verification/before-password-creation
https://stytch.com/docs/guides/passwords/email-verification/after-password-creation
Lastly, it’s worth noting that all required params in the API documentation are marked with a red *. Send Magic Link by email actually does not require a session_jwt; it’s an optional parameter that if passed in, will attempt to add an email to an existing User, instead of just sending a magic link for an existing User to log in with.
Johann,
I appreciate the help, and I don’t mean to wear you out, but here is the source of the confusion:
”Stytch’s email verification flows are intentionally flexible so that you can choose the combination of products that best fits your use case. In this guide, we’ll be using our Email OTP product in order to verify email addresses, but you may choose to use Email Magic Links instead by replacing the below Email OTP endpoints with Email Magic Links endpoints.”
Ok, so you can use OTP or magic links. Then below:
”Next, send a verification email to your user by calling our Send one-time passcode by email endpoint. Include the session_token from Step 1 in your request – otherwise, the user will be required to reset their password in order to prevent an account takeover attack vector:”
That;s exactly what I was doing, but the user was still required to reset their password.
Thus my confusion.
Hi Richard,
Thanks for your message!
Are you passing in the same session token returned from your stytch.passwords.create call to the send email magic link or send email OTP call?
The underlying Stytch Session needs to have the password as an authentication factor in order for a password reset to not be forced.
The documentation page states that email magic link URLs may be substituted for OTP URLs in the examples.
However, while I cache the session token when I send the email, if using the email magic links there’s no way to retrieve the user after the user clicks the button and returns to my back end, as the only parameter is the token. Therefore for my use case it’s a chicken and egg issue; I can’t determine the user until I’ve authenticated and therefore I can’t retrieve the session token that I’ve cached, at which point Stytch requires that the user reset their password, which doesn’t match my desired flow.
I’ve spent many days learning the in and outs via trial and error, and I have no desire to refactor my front end for OTP. However, I was able to implement a secure email validation flow myself in less than 90 minutes using Python’s “itsdangerous” module and a “send mail” module I had written for another project and then just using the front and back end that I coded for the Stytch flow.