Docs API reference
Sign in
Sign in
Docs API reference

Authorization links

Authorization links are a security feature that protects attendee-facing pages by requiring verification before access is granted. Instead of using permanent URLs that could be shared or leaked, IO uses single-use, time-limited tokens to ensure only the intended recipient can access their registration, tickets, or event page.

How it works

When someone receives a link — whether it's an invitation to RSVP, a ticket confirmation, or a private event page — that link contains a unique token. When they click it, the token is verified and a secure cookie is set in their browser. From that point on, they can access the page without needing to re-authenticate.

If the token has already been used or has expired, the visitor is prompted to verify their identity by entering their email address. If the email matches the one on file, a fresh authorization link is sent to them.

What's protected

Authorization links are used to secure:

  • RSVP pages — invited guests click through from their invitation email to claim their tickets
  • Ticket pages — attendees access their ticket details, digital passes, and attendee hub
  • Private landing pages — restrict access to a registration page to a pre-approved email list

The verification flow

When someone visits a protected page without a valid token:

  1. They're asked to enter their email address
  2. The system checks if the email matches an authorized recipient
  3. If it matches, a new authorization link is sent to that email
  4. They click the link and are granted access

This means that even if a link is forwarded or shared, the original recipient's email is required to gain access. The authorization email acts as a second factor of verification.

Private landing pages

For invitation-only events, you can restrict your landing page to a list of authorized email addresses. Only people on the list can request an authorization link. This is useful when you want to share a registration URL but still control who can access it.

Configure this in your landing page settings by enabling link authorization and adding the authorized email addresses.

Security considerations

  • Tokens are single-use — once a token is consumed, it can't be reused
  • Cookies are secure — authorization cookies use SameSite=None, Secure, and Partitioned attributes for cross-site compatibility
  • No accounts required — attendees never need to create an account or remember a password
  • Graceful recovery — if a link expires or is already used, the re-verification flow is simple and immediate

On this page

 ← Previous Custom fields Next → Set up an invitation-only event