Templates

MagicAuth ships seven templates. All of them are overridable by copying the file into your-theme/magicauth/{filename} (or any subdirectory you set with the magicauth_template_path filter).

Resolution order:

1. wp-content/themes/{stylesheet}/magicauth/{filename} (active theme, child theme on a child-theme setup).
2. wp-content/themes/{template}/magicauth/{filename} (parent theme).
3. wp-content/plugins/magicauth/templates/{filename} (plugin default).

The first match wins. If you want different resolution logic, hook magicauth_locate_template.

The seven templates

Template variables

Every template receives a $args array, then extract() exposes each key as a local variable. Each shipped template starts with a @var block listing exactly what it gets.

Email templates (magic-link)

/**
 * @var WP_User $user
 * @var string  $link            Verify URL with selector + verifier.
 * @var string  $code            Plaintext 6-character code.
 * @var string  $code_display    Code formatted for display (XXX-XXX).
 * @var string  $expires_at      GMT MySQL datetime.
 * @var int     $expiry_minutes  Configured TTL.
 * @var string  $brand_color     Hex with leading #.
 * @var string  $brand_text      Best text colour (#fff or #000) computed from YIQ.
 * @var string  $company_name    From settings, or Site Title fallback.
 * @var string  $site_name       Always Site Title.
 * @var bool    $is_test         True for the diagnostic test send.
 */

Disabled-notice templates

/**
 * @var WP_User $user
 * @var string  $brand_color
 * @var string  $brand_text
 * @var string  $company_name
 * @var string  $site_name
 * @var bool    $allow_password_login  Whether the password fallback is on.
 *                                     Use this to optionally append "you may
 *                                     still be able to sign in with your password".
 */

login-shell.php

Wraps the sign-in form. Receives the rendered form HTML plus the brand context. Inspect the shipped file for the exact variable list. The contract is identical to what LoginScreen::build_context() produces.

login-form.php

Renders state-aware markup. Inspect the shipped file for the variable list. Key variables include $state, $email, $session_id, $brand_color, $company_name, plus error-text variables for each state.

agency-credit.php

Receives $label, $name, $url, and $icon_url. Render nothing if any of $name, $url, or $icon_url is empty. The surrounding code already gates on this, but defending in your override makes the template safe to include directly.

Override examples

Add a footer paragraph to the magic-link email

// your-theme/magicauth/email-magic-link.php
<?php
require WP_PLUGIN_DIR . '/magicauth/templates/email-magic-link.php';
?>
<p style="font-size:12px;color:#888;text-align:center;margin-top:32px">
    Sent by Acme Inc · <a href="https://acme.com/support">Support</a>
</p>

If you need full control, copy the shipped template wholesale and edit it in place. Re-include the parent only when your override is purely additive.

Move overrides outside your theme

Themes can be swapped. For overrides you want to survive a theme change, put them in a must-use plugin and route MagicAuth there:

// wp-content/mu-plugins/magicauth-templates.php
add_filter( 'magicauth_locate_template', function ( $resolved, $filename ) {
    $custom = WPMU_PLUGIN_DIR . '/magicauth-overrides/' . $filename;
    return is_readable( $custom ) ? $custom : $resolved;
}, 10, 2 );

What you cannot override

• The Sign in button URL. That comes from $link, which carries the verifier secret. Re-render it, but don't replace it.
• The code_display formatting. It's already normalised to XXX-XXX. Render it, but don't reformat.
• The hidden honeypot and time-to-fill fields in login-form.php. They feed MagicAuth's pre-throttle hygiene gates. If you fork the template, copy them through verbatim.