diff --git a/app/Http/Controllers/User/LoginLinkController.php b/app/Http/Controllers/User/LoginLinkController.php
new file mode 100644
index 0000000..1ce0b06
--- /dev/null
+++ b/app/Http/Controllers/User/LoginLinkController.php
@@ -0,0 +1,81 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers\User;
+
+use App\Models\User;
+use App\Models\LoginLink;
+use Illuminate\Support\Arr;
+use Illuminate\Support\Str;
+use Illuminate\Http\Request;
+use App\Http\Controllers\Controller;
+use App\Notifications\LoginLinkMail;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Http\RedirectResponse;
+use Illuminate\Support\Facades\RateLimiter;
+
+use function Illuminate\Support\defer;
+
+final class LoginLinkController extends Controller
+{
+    private const RATE_LIMIT_PREFIX = 'login-link:';
+    private const RATE_LIMIT_ATTEMPTS = 1;
+    private const EXPIRATION_TIME = 15;
+
+    /**
+     * Create a new magic link.
+     */
+    public function store(Request $request): RedirectResponse
+    {
+        /** @var array<string, string> $validated */
+        $validated = $request->validate([
+            'email' => ['required', 'email', 'exists:users,email'],
+        ]);
+
+        $email = $validated['email'];
+        $key = self::RATE_LIMIT_PREFIX.$email;
+
+        // Rate limit check - 1 attempt per minute
+        if (RateLimiter::tooManyAttempts($key, self::RATE_LIMIT_ATTEMPTS)) {
+            $seconds = RateLimiter::availableIn($key);
+
+            session()->flash('error', __('Please wait :seconds seconds before requesting another magic link.', ['seconds' => $seconds]));
+
+            return redirect()->back();
+        }
+
+        $user = User::query()->where('email', $email)->firstOrFail();
+
+        // Increment the rate limiter
+        RateLimiter::increment($key);
+
+        $magicLink = LoginLink::query()->create([
+            'user_id' => $user->id,
+            'token' => Str::random(64),
+            'expires_at' => now()->addMinutes(self::EXPIRATION_TIME),
+        ]);
+
+        defer(fn () => $user->notify(new LoginLinkMail($magicLink)), 'login-link-notification');
+
+        session()->flash('success', __('Magic link sent to your email!'));
+
+        return redirect()->back();
+    }
+
+    /**
+     * Login with a magic link.
+     */
+    public function login(string $token): RedirectResponse
+    {
+        $magicLink = LoginLink::query()->where('token', $token)
+            ->whereNull('used_at')
+            ->where('expires_at', '>', now())
+            ->firstOrFail();
+
+        $magicLink->update(['used_at' => now()]);
+        Auth::login($magicLink->user, true);
+
+        return redirect()->route('dashboard');
+    }
+}
diff --git a/app/Models/LoginLink.php b/app/Models/LoginLink.php
new file mode 100644
index 0000000..a850b22
--- /dev/null
+++ b/app/Models/LoginLink.php
@@ -0,0 +1,79 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Models;
+
+use Carbon\CarbonImmutable;
+use Illuminate\Support\Facades\Date;
+use Illuminate\Database\Query\Builder;
+use Illuminate\Database\Eloquent\Model;
+use Database\Factories\LoginLinkFactory;
+use Illuminate\Database\Eloquent\MassPrunable;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
+use Illuminate\Database\Eloquent\Factories\HasFactory;
+
+/**
+ * @property int $id
+ * @property int $user_id
+ * @property string $token
+ * @property CarbonImmutable $expires_at
+ * @property CarbonImmutable|null $used_at
+ * @property CarbonImmutable|null $created_at
+ * @property CarbonImmutable|null $updated_at
+ * @property-read User $user
+ *
+ * @method static \Database\Factories\LoginLinkFactory factory($count = null, $state = [])
+ * @method static \Illuminate\Database\Eloquent\Builder<static>|LoginLink newModelQuery()
+ * @method static \Illuminate\Database\Eloquent\Builder<static>|LoginLink newQuery()
+ * @method static \Illuminate\Database\Eloquent\Builder<static>|LoginLink query()
+ * @method static \Illuminate\Database\Eloquent\Builder<static>|LoginLink whereCreatedAt($value)
+ * @method static \Illuminate\Database\Eloquent\Builder<static>|LoginLink whereExpiresAt($value)
+ * @method static \Illuminate\Database\Eloquent\Builder<static>|LoginLink whereId($value)
+ * @method static \Illuminate\Database\Eloquent\Builder<static>|LoginLink whereToken($value)
+ * @method static \Illuminate\Database\Eloquent\Builder<static>|LoginLink whereUpdatedAt($value)
+ * @method static \Illuminate\Database\Eloquent\Builder<static>|LoginLink whereUsedAt($value)
+ * @method static \Illuminate\Database\Eloquent\Builder<static>|LoginLink whereUserId($value)
+ *
+ * @mixin \Eloquent
+ */
+final class LoginLink extends Model
+{
+    /** @use HasFactory<LoginLinkFactory> */
+    use HasFactory;
+
+    use MassPrunable;
+
+    protected $guarded = [];
+
+    /**
+     * The attributes that should be cast.
+     *
+     * @var array<string, string>
+     */
+    protected $casts = [
+        'expires_at' => 'datetime',
+        'used_at' => 'datetime',
+    ];
+
+    /**
+     * Get the user that the magic link belongs to.
+     *
+     * @return BelongsTo<User, covariant $this>
+     */
+    public function user(): BelongsTo
+    {
+        return $this->belongsTo(User::class);
+    }
+
+    /**
+     * Get the prunable model query.
+     * This will delete all magic links that were created more than a week ago.
+     *
+     * @return Builder
+     */
+    public function prunable(): Builder
+    {
+        return self::query()->where('expires_at', '<=', Date::now())->toBase();
+    }
+}
diff --git a/app/Notifications/LoginLinkMail.php b/app/Notifications/LoginLinkMail.php
new file mode 100644
index 0000000..2efcfc9
--- /dev/null
+++ b/app/Notifications/LoginLinkMail.php
@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Notifications;
+
+use App\Models\LoginLink;
+use Illuminate\Bus\Queueable;
+use Illuminate\Support\Facades\URL;
+use Illuminate\Notifications\Notification;
+use Illuminate\Notifications\Messages\MailMessage;
+
+final class LoginLinkMail extends Notification
+{
+    use Queueable;
+
+    private readonly string $magicLinkUrl;
+
+    public function __construct(private readonly LoginLink $magicLink)
+    {
+        $this->magicLinkUrl = URL::signedRoute('login-link.login', ['token' => $this->magicLink->token]);
+    }
+
+    /**
+     * @return array<int, string>
+     */
+    public function via(): array
+    {
+        return ['mail'];
+    }
+
+    public function toMail(): MailMessage
+    {
+        return (new MailMessage)
+            ->subject('Your Magic Login Link')
+            ->line('Click the button below to log in.')
+            ->action('Log In', $this->magicLinkUrl)
+            ->line('This link will expire in 15 minutes.')
+            ->line('If you did not request this link, no action is needed.');
+    }
+}
diff --git a/app/Providers/AppServiceProvider.php b/app/Providers/AppServiceProvider.php
index 992f318..b27a6ca 100644
--- a/app/Providers/AppServiceProvider.php
+++ b/app/Providers/AppServiceProvider.php
@@ -8,6 +8,7 @@
 use EchoLabs\Prism\Prism;
 use Carbon\CarbonImmutable;
 use Knuckles\Scribe\Scribe;
+use Illuminate\Http\Request;
 use Laravel\Sanctum\Sanctum;
 use Illuminate\Support\Facades\DB;
 use Illuminate\Support\Facades\App;
@@ -18,6 +19,8 @@
 use EchoLabs\Prism\Text\PendingRequest;
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Support\ServiceProvider;
+use Illuminate\Cache\RateLimiting\Limit;
+use Illuminate\Support\Facades\RateLimiter;
 use EchoLabs\Prism\Enums\Provider as PrismProvider;
 use Knuckles\Camel\Extraction\ExtractedEndpointData;
 use Symfony\Component\HttpFoundation\Request as HttpFoundationRequest;
@@ -55,6 +58,7 @@ public function boot(): void
         $this->configureVite();
         $this->configurePrisms();
         $this->configureScribeDocumentation();
+        $this->configureRateLimiting();
     }
 
     /**
@@ -156,4 +160,14 @@ private function configurePrisms(): void
                 ->withMaxTokens(250)
         );
     }
+
+    /**
+     * Configure the application's rate limiting.
+     *
+     * @see https://laravel.com/docs/11.x/routing#rate-limiting
+     */
+    private function configureRateLimiting(): void
+    {
+        RateLimiter::for('login-link', fn (Request $request) => $request->email ? Limit::perHour(5)->by($request->email) : Limit::perHour(5)->by($request->ip()));
+    }
 }
diff --git a/database/factories/LoginLinkFactory.php b/database/factories/LoginLinkFactory.php
new file mode 100644
index 0000000..a557490
--- /dev/null
+++ b/database/factories/LoginLinkFactory.php
@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Database\Factories;
+
+use App\Models\User;
+use App\Models\LoginLink;
+use Illuminate\Database\Eloquent\Factories\Factory;
+
+/**
+ * @extends Factory<LoginLink>
+ */
+final class LoginLinkFactory extends Factory
+{
+    /**
+     * Define the model's default state.
+     *
+     * @return array<model-property<LoginLink>, mixed>
+     */
+    public function definition(): array
+    {
+        return [
+            'user_id' => User::factory()->create()->id,
+            'token' => fake()->uuid(),
+            'expires_at' => fake()->dateTimeBetween('5 minutes', '15 minutes'),
+            'used_at' => null,
+        ];
+    }
+}
diff --git a/database/migrations/0001_01_01_000013_create_login_links_table.php b/database/migrations/0001_01_01_000013_create_login_links_table.php
new file mode 100644
index 0000000..825f0c0
--- /dev/null
+++ b/database/migrations/0001_01_01_000013_create_login_links_table.php
@@ -0,0 +1,33 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Support\Facades\Schema;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Database\Migrations\Migration;
+
+return new class extends Migration
+{
+    /**
+     * Run the migrations.
+     */
+    public function up(): void
+    {
+        Schema::create('login_links', function (Blueprint $table): void {
+            $table->id();
+            $table->foreignId('user_id')->constrained()->cascadeOnDelete();
+            $table->string('token', 64)->unique();
+            $table->timestamp('expires_at');
+            $table->timestamp('used_at')->nullable();
+            $table->timestamps();
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     */
+    public function down(): void
+    {
+        Schema::dropIfExists('login_links');
+    }
+};
diff --git a/resources/js/Pages/Auth/Login.vue b/resources/js/Pages/Auth/Login.vue
index 123fedb..12b4f7a 100644
--- a/resources/js/Pages/Auth/Login.vue
+++ b/resources/js/Pages/Auth/Login.vue
@@ -7,14 +7,15 @@ import Checkbox from '@/Components/shadcn/ui/checkbox/Checkbox.vue'
 import Input from '@/Components/shadcn/ui/input/Input.vue'
 import Label from '@/Components/shadcn/ui/label/Label.vue'
 import Sonner from '@/Components/shadcn/ui/sonner/Sonner.vue'
+import { Tabs, TabsContent, TabsList, TabsTrigger } from '@/Components/shadcn/ui/tabs'
 import SocialLoginButton from '@/Components/SocialLoginButton.vue'
 import { useSeoMetaTags } from '@/Composables/useSeoMetaTags.js'
-import { cn } from '@/lib/utils'
 import { Link, useForm, usePage } from '@inertiajs/vue3'
-import { inject, onMounted } from 'vue'
+import { useLocalStorage } from '@vueuse/core'
+import { computed, inject, onMounted } from 'vue'
 import { toast } from 'vue-sonner'
 
-defineProps({
+const props = defineProps({
   canResetPassword: Boolean,
   status: String,
   availableOauthProviders: Object,
@@ -22,43 +23,85 @@ defineProps({
 
 const page = usePage()
 const route = inject('route')
+const activeTab = useLocalStorage('login-active-tab', 'password')
 
-useSeoMetaTags({
-  title: 'Log in',
-})
-
-const form = useForm({
+// Form state
+const passwordForm = useForm({
   email: 'test@example.com',
   password: 'password',
   remember: false,
 })
-function handleSubmit() {
-  form.transform(data => ({
-    ...data,
-    remember: form.remember ? 'on' : '',
-  })).post(route('login'), {
-    onFinish: () => form.reset('password'),
+
+const loginLinkForm = useForm({
+  email: '',
+})
+
+// Computed
+const hasOauthProviders = computed(() =>
+  Object.keys(props.availableOauthProviders || {}).length > 0,
+)
+
+const isProcessing = computed(() =>
+  passwordForm.processing || loginLinkForm.processing,
+)
+
+// Methods
+function handlePasswordLogin() {
+  passwordForm
+    .transform(data => ({
+      ...data,
+      remember: data.remember ? 'on' : '',
+    }))
+    .post(route('login'), {
+      onFinish: () => passwordForm.reset('password'),
+    })
+}
+
+function handleLoginLink() {
+  loginLinkForm.post(route('login-link.store'), {
+    onSuccess: () => {
+      loginLinkForm.reset()
+      if (page.props.flash.success) {
+        toast.success(page.props.flash.success)
+      }
+    },
+    onError: () => {
+      if (page.props.flash.error) {
+        toast.error(page.props.flash.error)
+      }
+    },
   })
 }
 
+// Lifecycle
 onMounted(() => {
   if (page.props.flash.error) {
     toast.error(page.props.flash.error)
   }
+
+  if (page.props.flash.success) {
+    toast.success(page.props.flash.success)
+  }
+})
+
+// SEO
+useSeoMetaTags({
+  title: 'Log in',
 })
 </script>
 
 <template>
   <Sonner position="top-center" />
-  <div class="flex min-h-screen flex-col items-center justify-center">
-    <Card class="mx-auto max-w-lg" :class="cn('w-[380px]')">
+
+  <div class="flex min-h-screen flex-col items-center justify-center bg-gradient-to-b from-background/50 to-background">
+    <Card class="mx-auto w-[420px] shadow-lg transition-all duration-300 hover:shadow-xl">
       <!-- Header -->
       <CardHeader>
         <CardTitle class="flex justify-center">
           <AuthenticationCardLogo />
         </CardTitle>
-        <CardDescription class="text-center text-2xl">
-          Log In
+        <CardDescription class="text-center text-2xl font-light">
+          Welcome Back
         </CardDescription>
       </CardHeader>
 
@@ -68,82 +111,149 @@ onMounted(() => {
           {{ status }}
         </div>
 
-        <!-- Login Form -->
-        <form @submit.prevent="handleSubmit">
-          <div class="grid gap-4">
-            <!-- Email Field -->
-            <div class="grid gap-2">
-              <Label for="email">Email</Label>
-              <Input
-                id="email" v-model="form.email" type="email" placeholder="test@example.com" required
-                autofocus autocomplete="username"
-              />
-              <InputError :message="form.errors.email" />
-            </div>
+        <!-- Login Tabs -->
+        <Tabs v-model="activeTab" class="w-full">
+          <TabsList class="grid w-full grid-cols-2 rounded-lg p-1">
+            <TabsTrigger value="password">
+              Password
+            </TabsTrigger>
+            <TabsTrigger value="login-link">
+              Login Link
+            </TabsTrigger>
+          </TabsList>
 
-            <!-- Password Field -->
-            <div class="grid gap-2">
-              <div class="flex items-center justify-between">
-                <Label for="password">Password</Label>
-                <Link
-                  v-if="canResetPassword" :href="route('password.request')"
-                  class="text-sm text-muted-foreground underline hover:text-primary"
-                >
-                  Forgot your password?
-                </Link>
-              </div>
-              <Input
-                id="password" v-model="form.password" type="password" required
-                autocomplete="current-password"
-              />
-              <InputError :message="form.errors.password" />
-            </div>
+          <div class="mt-6">
+            <!-- Password Login -->
+            <TabsContent value="password" class="space-y-4">
+              <form @submit.prevent="handlePasswordLogin">
+                <div class="grid gap-4">
+                  <!-- Email -->
+                  <div class="grid gap-2">
+                    <Label for="email">Email</Label>
+                    <Input
+                      id="email"
+                      v-model="passwordForm.email"
+                      type="email"
+                      placeholder="name@example.com"
+                      required
+                      autofocus
+                      autocomplete="username"
+                    />
+                    <InputError :message="passwordForm.errors.email" />
+                  </div>
 
-            <!-- Remember Me -->
-            <div class="flex items-center space-x-2">
-              <Checkbox id="remember" v-model:checked="form.remember" name="remember" />
-              <label for="remember" class="text-sm text-muted-foreground">
-                Remember me
-              </label>
-            </div>
+                  <!-- Password -->
+                  <div class="grid gap-2">
+                    <div class="flex items-center justify-between">
+                      <Label for="password">Password</Label>
+                      <Link
+                        v-if="canResetPassword"
+                        :href="route('password.request')"
+                        class="text-sm text-muted-foreground hover:text-primary hover:underline underline-offset-4"
+                      >
+                        Forgot password?
+                      </Link>
+                    </div>
+                    <Input
+                      id="password"
+                      v-model="passwordForm.password"
+                      type="password"
+                      required
+                      autocomplete="current-password"
+                    />
+                    <InputError :message="passwordForm.errors.password" />
+                  </div>
 
-            <!-- Submit Button -->
-            <Button
-              type="submit" class="w-full" :class="{ 'opacity-25': form.processing }"
-              :disabled="form.processing"
-            >
-              Log in
-            </Button>
-
-            <!-- OAuth Divider -->
-            <div v-if="Object.keys(availableOauthProviders).length" class="relative">
-              <div class="absolute inset-0 flex items-center">
-                <span class="w-full border-t" />
-              </div>
-              <div class="relative flex justify-center text-xs uppercase">
-                <span class="bg-background px-2 text-muted-foreground">
-                  Or continue with
-                </span>
+                  <!-- Remember Me -->
+                  <div class="flex items-center space-x-2">
+                    <Checkbox
+                      id="remember"
+                      v-model:checked="passwordForm.remember"
+                      name="remember"
+                    />
+                    <label for="remember" class="text-sm text-muted-foreground">
+                      Remember me
+                    </label>
+                  </div>
+
+                  <Button
+                    type="submit"
+                    class="w-full"
+                    :class="{ 'opacity-75': passwordForm.processing }"
+                    :disabled="isProcessing"
+                  >
+                    {{ passwordForm.processing ? 'Signing in...' : 'Sign in' }}
+                  </Button>
+                </div>
+              </form>
+            </TabsContent>
+
+            <!-- Login Link -->
+            <TabsContent value="login-link" class="space-y-4">
+              <div class="text-sm text-muted-foreground">
+                We'll send you a login link for password-free sign in.
               </div>
+              <form @submit.prevent="handleLoginLink">
+                <div class="grid gap-4">
+                  <div class="grid gap-2">
+                    <Label for="login-link-email">Email</Label>
+                    <Input
+                      id="login-link-email"
+                      v-model="loginLinkForm.email"
+                      type="email"
+                      required
+                      placeholder="name@example.com"
+                    />
+                    <InputError :message="loginLinkForm.errors.email" />
+                  </div>
+
+                  <Button
+                    type="submit"
+                    class="w-full"
+                    :class="{ 'opacity-75': loginLinkForm.processing }"
+                    :disabled="isProcessing"
+                  >
+                    {{ loginLinkForm.processing ? 'Sending...' : 'Send Login Link' }}
+                  </Button>
+                </div>
+              </form>
+            </TabsContent>
+          </div>
+        </Tabs>
+
+        <!-- OAuth Section -->
+        <div v-if="hasOauthProviders" class="mt-6">
+          <div class="relative">
+            <div class="absolute inset-0 flex items-center">
+              <span class="w-full border-t" />
+            </div>
+            <div class="relative flex justify-center text-xs uppercase">
+              <span class="bg-background px-2 text-muted-foreground">
+                Or continue with
+              </span>
             </div>
+          </div>
 
-            <!-- OAuth Providers -->
+          <div class="mt-6 grid gap-2">
             <SocialLoginButton
               v-for="provider in availableOauthProviders"
               :key="provider.slug"
               :provider="provider"
-              :disabled="form.processing"
+              :disabled="isProcessing"
             />
-
-            <!-- Register Link -->
-            <div class="text-center text-sm text-muted-foreground">
-              Don't have an account?
-              <Link :href="route('register')" class="underline hover:text-primary">
-                Sign up
-              </Link>
-            </div>
           </div>
-        </form>
+        </div>
+
+        <!-- Sign Up Link -->
+        <div class="mt-6 text-center text-sm text-muted-foreground">
+          Don't have an account?
+          <Link
+            :href="route('register')"
+            class="font-medium text-primary hover:underline underline-offset-4"
+          >
+            Sign up
+          </Link>
+        </div>
       </CardContent>
     </Card>
   </div>
diff --git a/routes/web.php b/routes/web.php
index f3923e4..c82fe7c 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -8,12 +8,22 @@
 use App\Http\Controllers\DashboardController;
 use App\Http\Controllers\User\OauthController;
 use App\Http\Controllers\SubscriptionController;
+use App\Http\Controllers\User\LoginLinkController;
 
 Route::get('/', [WelcomeController::class, 'home'])->name('home');
 
-Route::get('/auth/redirect/{provider}', [OauthController::class, 'redirect'])->name('oauth.redirect');
-
-Route::get('/auth/callback/{provider}', [OauthController::class, 'callback'])->name('oauth.callback');
+Route::prefix('auth')->group(
+    function () {
+        // OAuth
+        Route::get('/redirect/{provider}', [OauthController::class, 'redirect'])->name('oauth.redirect');
+        Route::get('/callback/{provider}', [OauthController::class, 'callback'])->name('oauth.callback');
+        // Magic Link
+        Route::middleware('throttle:login-link')->group(function () {
+            Route::post('/login-link', [LoginLinkController::class, 'store'])->name('login-link.store');
+            Route::get('/login-link/{token}', [LoginLinkController::class, 'login'])->name('login-link.login');
+        });
+    }
+);
 
 Route::middleware(['auth:sanctum', config('jetstream.auth_session'), 'verified'])->group(function () {
     Route::get('/dashboard', DashboardController::class)->name('dashboard');
diff --git a/tests/Feature/Controllers/User/LoginLinkControllerTest.php b/tests/Feature/Controllers/User/LoginLinkControllerTest.php
new file mode 100644
index 0000000..274a974
--- /dev/null
+++ b/tests/Feature/Controllers/User/LoginLinkControllerTest.php
@@ -0,0 +1,140 @@
+<?php
+
+declare(strict_types=1);
+
+use App\Models\User;
+use App\Models\LoginLink;
+use Illuminate\Support\Str;
+use Illuminate\Support\Facades\URL;
+use App\Notifications\LoginLinkMail;
+use Illuminate\Support\Facades\RateLimiter;
+use Illuminate\Support\Facades\Notification;
+use App\Http\Controllers\User\LoginLinkController;
+use Illuminate\Routing\Middleware\ThrottleRequests;
+
+use function Pest\Laravel\assertAuthenticatedAs;
+use function Pest\Laravel\get;
+use function Pest\Laravel\post;
+use function Pest\Laravel\assertDatabaseHas;
+use function Pest\Laravel\withoutMiddleware;
+use function Pest\Laravel\assertDatabaseCount;
+use function Pest\Laravel\assertGuest;
+
+covers(LoginLinkController::class);
+
+beforeEach(function (): void {
+    RateLimiter::clear('login-link:test@example.com');
+    withoutMiddleware(ThrottleRequests::class);
+    Notification::fake();
+});
+
+describe('can create login link', function (): void {
+    it('creates login link and sends notification', function (): void {
+        $user = User::factory()->create(['email' => 'test@example.com']);
+
+        $response = post(route('login-link.store'), [
+            'email' => $user->email,
+        ]);
+
+        $response->assertRedirect()
+            ->assertSessionHas('success');
+
+        assertDatabaseHas('login_links', [
+            'user_id' => $user->id,
+            'used_at' => null,
+        ]);
+
+        Notification::assertSentTo($user, LoginLinkMail::class);
+        Notification::assertCount(1);
+    });
+
+    it('validates email exists', function (): void {
+        $response = post(route('login-link.store'), [
+            'email' => 'nonexistent@example.com',
+        ]);
+
+        $response->assertSessionHasErrors(['email']);
+        assertDatabaseCount('login_links', 0);
+        Notification::assertNothingSent();
+    });
+
+    it('requires valid email format', function (): void {
+        $response = post(route('login-link.store'), [
+            'email' => 'invalid-email',
+        ]);
+
+        $response->assertSessionHasErrors(['email']);
+        assertDatabaseCount('login_links', 0);
+        Notification::assertNothingSent();
+    });
+
+    it('rate limits requests', function (): void {
+        $user = User::factory()->create(['email' => 'test@example.com']);
+
+        // First request should succeed
+        post(route('login-link.store'), ['email' => $user->email])
+            ->assertSessionHas('success');
+
+        // Second request within 1 minute should fail
+        post(route('login-link.store'), ['email' => $user->email])
+            ->assertSessionHas('error');
+
+        assertDatabaseCount('login_links', 1);
+    });
+});
+
+describe('can login with the link', function (): void {
+    it('authenticates user with valid token', function (): void {
+        $user = User::factory()->create();
+
+        Str::createRandomStringsUsing(function () {
+            return 'fake-random-string';
+        });
+        post(route('login-link.store'), [
+            'email' => $user->email,
+        ]);
+
+        Str::createRandomStringsNormally();
+
+        $response = get(route('login-link.login', ['token' => 'fake-random-string']));
+
+        $response->assertRedirect(route('dashboard'));
+
+        assertAuthenticatedAs($user);
+    });
+
+    it('fails with expired token', function (): void {
+        $loginLink = LoginLink::factory()->create([
+            'expires_at' => now()->subMinute(),
+            'used_at' => null,
+        ]);
+
+        $response = get(route('login-link.login', ['token' => 'fake-random-string']));
+
+        $response->assertNotFound();
+
+        assertGuest();
+    });
+
+    it('fails with already used token', function (): void {
+        LoginLink::factory()->create([
+            'token' => 'fake-random-string',
+            'expires_at' => now()->addMinutes(15),
+            'used_at' => now()->subMinute(),
+        ]);
+
+        $response = get(route('login-link.login', ['token' => 'fake-random-string']));
+
+        $response->assertNotFound();
+
+        assertGuest();
+    });
+
+    it('fails with invalid token', function (): void {
+        $response = get(route('login-link.login', ['token' => 'invalid-token']));
+
+        $response->assertNotFound();
+
+        assertGuest();
+    });
+});
diff --git a/tests/Feature/Models/LoginLinkTest.php b/tests/Feature/Models/LoginLinkTest.php
new file mode 100644
index 0000000..706556d
--- /dev/null
+++ b/tests/Feature/Models/LoginLinkTest.php
@@ -0,0 +1,46 @@
+<?php
+
+declare(strict_types=1);
+
+use App\Models\User;
+use App\Models\LoginLink;
+use Carbon\CarbonImmutable;
+
+covers(LoginLink::class);
+
+beforeEach(function (): void {
+    $this->user = User::factory()->create();
+});
+
+describe('login link model tests', function (): void {
+    test('login link belongs to a user', function (): void {
+        $loginLink = LoginLink::factory()->create([
+            'user_id' => $this->user->id,
+        ]);
+
+        expect($loginLink->user)
+            ->toBeInstanceOf(User::class)
+            ->id->toBe($this->user->id);
+    });
+
+    test('login link casts dates correctly', function (): void {
+        $loginLink = LoginLink::factory()->create([
+            'expires_at' => now()->addMinutes(15),
+            'used_at' => now(),
+        ]);
+
+        expect($loginLink)
+            ->expires_at->toBeInstanceOf(CarbonImmutable::class)
+            ->used_at->toBeInstanceOf(CarbonImmutable::class);
+    });
+
+    test('login link cascades on user deletion', function (): void {
+        $user = User::factory()->create();
+        $loginLink = LoginLink::factory()->create([
+            'user_id' => $user->id,
+        ]);
+
+        $user->delete();
+        expect(LoginLink::query()->find($loginLink->id))->toBeNull();
+    });
+});