| When using a magic link to sign in to the School Portal, you will be sent a one-time use link — so always make sure you are getting a new link before entering the Portal. |
Magic login links are one-time use and time-sensitive. If your link appears expired immediately after clicking it, it is most commonly due to email security systems scanning and pre-clicking the link before you do.
This is especially common with enterprise email providers such as Microsoft Outlook / Office 365, Proofpoint, Mimecast, and similar security tools.
What causes this issue?
Many organizations use email security filters that automatically:
- Scan incoming emails
- Follow (click) links to verify safety
Because Climb magic links are single-use, this automated “pre-click” consumes the link before the intended user can use it — resulting in a “link expired” error.
How to confirm this is the issue
You may be experiencing link scanning if:
- The link is expired immediately upon first click
- Hovering over the link shows a rewritten URL (e.g., contains domains like
urldefense.com,proofpoint.com, etc.) - You are using a corporate or school-managed email system
Recommended solution (for IT teams)
To prevent this issue, your IT team should allowlist (whitelist) Climb domains and disable link rewriting/scanning for them.
Domains to allowlist
climbcredit.comclimbcred.it
What to configure
Your email security system should be configured to:
- Bypass URL rewriting and time-of-click scanning for these domains
- Exclude these domains from Safe Links / link protection policies
- Allow direct delivery without prefetching links
Platform-specific guidance (examples)
Microsoft Defender for Office 365 (Safe Links):
- Go to Policies & Rules → Threat Policies → Safe Links
- Edit your policy
- Add Climb domains to the “Do not rewrite URLs” list
Proofpoint / Mimecast:
- Add Climb domains to:
- URL Protection Bypass list
- Trusted / Permit list
If you’re unsure how to configure this, share this article with your IT/security team.
Temporary workarounds (for users)
If allowlisting has not yet been implemented, try the following:
- Request a new magic link and use it immediately
- Copy the link (not “Copy Link Address”) and paste it into a browser
- Open the link in an incognito/private window
- Use a non-corporate browser profile (if available)
- Ensure you are using Google Chrome (recommended)
⚠️ Note: These workarounds may not always succeed if link scanning is enforced at the email server level.
Note: When copying the link, make sure you are using the “Copy” option and NOT the “Copy Link Address.” If "Copy" is not an option in your menu, simply highlight the link (without clicking it) and use the keyboard shortcut Command+C. Once you have copied the link into the address bar, you should also double check to make sure only the Climb link is present before navigating to the page. |
Still having trouble?
If the issue persists after implementing allowlisting:
- Confirm with your IT team that link scanning is fully bypassed
- Try accessing the link from a different network or device
- Contact your Climb Partner Success Manager for further assistance
Summary
This issue is not caused by the user or the platform — it is the result of security systems interacting with one-time authentication links. Proper allowlisting ensures reliable access while maintaining your organization’s security posture.