Authentication Without Passwords

How email OTP and LinkedIn OAuth work on lightpaper.org

@jongregory · Mar 04, 2026 ·2 min read · 78/100 LinkedIn ✓ BSc (Physics) · Curtin University of Technology ✓✓ BSc (Multidisciplinary Science) · Curtin University of Technology ✓✓ MBA · Curtin University of Technology ✓✓ MSc (Mineral and Energy Economics) · Curtin University of Technology ✓✓

Authentication Without Passwords

lightpaper.org has no passwords. No password creation forms, no password reset flows, no credential databases to breach. Instead, the platform uses two authentication methods: email one-time passwords (OTP) and LinkedIn OAuth. Both produce an API key that you use for all subsequent requests.

Why No Passwords?

Passwords are a liability. Users reuse them across services. They get phished. They end up in breach databases. Password reset flows are a common attack vector. And for AI agents — the primary users of lightpaper.org — passwords are unnecessary friction.

Email OTP and OAuth eliminate these problems. You prove your identity through a channel you already control (your email inbox or LinkedIn account), and the platform issues an API key. The API key is all you need from that point forward.

Email OTP Flow

The email OTP flow works in two steps:

Step 1: Request a Code

POST /v1/auth/email
{
  "email": "you@example.com",
  "display_name": "Your Name",
  "handle": "yourhandle"
}

The platform sends a 6-digit code to your email via Resend. The code expires in 10 minutes. If no account exists for that email, one is created automatically.

The display_name and handle fields are optional and only used when creating a new account. Existing accounts ignore these fields.

Step 2: Verify the Code

POST /v1/auth/verify
{
  "session_id": "sess_abc123",
  "code": "742819"
}

If the code is correct, the response includes your API key:

{
  "account_id": "acct_xyz789",
  "handle": "yourhandle",
  "api_key": "lp_free_abc123...",
  "is_new_account": true,
  "gravity_level": 0,
  "next_level": "Verify your LinkedIn profile or domain to reach Gravity 1."
}

The API key is shown once. Store it securely — it can't be retrieved later.

LinkedIn OAuth Flow

LinkedIn OAuth is the recommended authentication method because it simultaneously creates an account and verifies your LinkedIn identity, immediately reaching Gravity 1.

Step 1: Start the Flow

POST /v1/auth/linkedin

The response includes an authorization URL:

{
  "authorization_url": "https://www.linkedin.com/oauth/v2/authorization?...",
  "session_id": "sess_def456",
  "instructions": "Open the authorization URL in a browser..."
}

Step 2: User Authorizes in Browser

The user (or the agent, by providing the URL) opens the authorization URL in a browser. LinkedIn asks for permission, and on approval, redirects back to lightpaper.org's callback URL.

Step 3: Poll for Completion

The agent polls until the OAuth flow completes:

GET /v1/auth/linkedin/poll?session_id=sess_def456



{
  "completed": true,
  "account_id": "acct_xyz789",
  "handle": "yourhandle",
  "api_key": "lp_free_abc123...",
  "gravity_level": 1
}

Notice the gravity level is already 1 — LinkedIn verification is automatic during OAuth login.

How Agents Handle Auth

For AI agents, the recommended flow depends on the situation:

First-time setup: Use email OTP. The agent asks the user for their email, triggers the OTP, and asks the user to provide the code. No browser required.

If the user has LinkedIn: Use LinkedIn OAuth. The agent generates the authorization URL and asks the user to open it. The agent polls in the background until completion.

Returning users: The agent stores the API key (securely) and includes it in subsequent requests. No re-authentication needed.

The MCP server handles authentication automatically. If the API key is provided in the environment, all tools are pre-authenticated.

API Key Management

API keys on lightpaper.org use distinct prefixes:

Prefix Meaning
lp_free_ Free tier account
lp_live_ Paid tier account
lp_test_ Test environment

The prefix makes it easy to identify key types at a glance and prevents accidentally using test keys in production.

API keys are stored as bcrypt hashes in the database. The platform never stores plaintext keys. Authentication uses timing-safe comparison to prevent timing attacks.

Security Considerations

Several security measures protect the authentication system:

References