I’ve been looking around Google for some answers as to how these systems actually work. I know very loosely that they involve the use of some sorts of unique tokens that the system is able to identify, but I’m interested in knowing a lot more about these things.
As a follow-up, the reason I need to know is because I am building a Ruby on Rails app using Devise for user authentication and may have need to be able to provide links that only work once for registration and automatically register a user as a certain type of user (i.e. inviting people into the system for a specific purpose). I am, nevertheless interested in understanding and would love some reading material if anybody can point me to something comprehensive, relevant, and useful.
Not too many extra answers here, but I think I figured out how this process works. Generally, all you really need to do is generate a randomized token of length n. This token is stored in the database somewhere in association with the user. You then send the user a link to whatever url or action processes confirmation/invitation or whatever it is, and the token you generated is passed in as a get variable in the URL. Your application then receives this token from the user when they click the link, and you know only they have that specific token, which is sufficient to identify them as who they say they are.