Customizing Fundraiser Settings & Design
      Back to home
      1. Help & Learning
      2. Customizing Fundraiser Settings & Design

      How Login Links Work on Trellis

      This article explains more about login links, which are one-time use links that donors can use to log in to their accounts.

      What are login links?

      Login links provide donors with a secure, convenient way to access the Trellis platform without needing to remember a password. They enable immediate participation with previously saved payment methods.

      Benefits

      • Removes friction of password-based login.

      • Encourages donor participation with instant access.

      • Balances security (short-lived, one-time tokens) with usability (reasonable time window).

      How login links work:

      1. When a donor requests access (e.g., via email or SMS), Trellis generates a unique login link. Each link is tied to the donor’s account and associated with a saved credit card, if available.

      2. The link is sent securely to the donor’s email or phone number on file. It includes an embedded token that identifies the donor.

      3. When the donor clicks the link, Trellis validates the token. If valid, the donor is logged into their account automatically. The donor can immediately engage in giving or event participation.

      Security Properties

      • One-Time Use: Each link can only be used once and expires after use.

      • Expiry Window: Links expire after 6 hours from creation.

      • Token Binding: Tokens are cryptographically signed and tied to a specific donor record.

      • Auto-Invalidation: Expired or already-used links are rejected with a prompt to request a new one, which is sent to the same email address and phone number.

      Why Expiration Matters

      Expiring login links after a fixed duration is a security best practice because:

      • Limits Risk of Compromise: If a link is intercepted or forwarded, a short window reduces the chance of misuse.

      • Prevents Token Reuse: Even one-time tokens can linger unused; expiration clears them out automatically.

      • Aligns with Standards: OAuth, SAML, and password reset systems all enforce expiring tokens.

      • Ensures Fresh Authentication: Expired links force donors to re-verify access to their email/phone.

       

      Need help?

      If you have any questions, reach out to us via the blue chat icon or email support@trellis.org.