Magic-Link External Approvals
Sending approval requests to external parties (engineers, principals, clients) without requiring a platform account.
Magic-Link External Approvals allow you to request sign-off on project documents (variations, drawings, payment schedules, SSSP sign-offs) from external parties — engineers, principals, clients, or council representatives — without requiring them to create an Innora Property account.
How It Works
- 1Create an approval request from any document that supports it (variation orders, drawings, SSSP).
- 2Enter the external party's name and email address.
- 3Click Send Approval Link. The system generates a 256-bit cryptographically random token, stores a SHA-256 hash of it, and sends the external party an email containing a one-time approval URL.
- 4The external party clicks the link in their email — no account creation or login required.
- 5They are presented with the document details and an Approve or Reject button.
- 6Their decision (with optional comments) is recorded in the approval log with a server timestamp.
Token Security
Approval tokens are 256-bit cryptographically random values valid for 24 hours. Only the SHA-256 hash is stored in the database — the original token is never stored. Each token is single-use: once clicked, it cannot be used again. Expired or used tokens return a clear error page.
Common Use Cases
| Document Type | Typical External Approver |
|---|---|
| Variation order | Principal contractor or client |
| Drawing for construction issue | Structural or architectural engineer |
| SSSP sign-off | Principal's H&S representative |
| Payment schedule | Client or principal contractor |
| Producer statement | Licensed Building Practitioner (LBP) |
Tracking Approval Status
Each approval request appears in the Approvals tab of the relevant document with one of four statuses:
| Status | Meaning |
|---|---|
| Pending | Token sent, awaiting external party response |
| Approved | External party clicked Approve — timestamp and name recorded |
| Rejected | External party clicked Reject — rejection reason recorded |
| Expired | Token passed 24-hour validity window without a response |
Re-sending Approvals
If a token expires before the external party responds, click Resend to generate a fresh 24-hour token. This is a new token — the previous link in their email will no longer work.
Found an error? Open an issue on GitHub