Authentication is email-only. The URL contains only a challenge id; the verifier stays in an HTTP-only cookie.