diff --git a/app/Console/Commands/MagicLinkCommand.php b/app/Console/Commands/MagicLinkCommand.php
new file mode 100644
index 0000000..b680ef9
--- /dev/null
+++ b/app/Console/Commands/MagicLinkCommand.php
@@ -0,0 +1,56 @@
+<?php
+
+namespace App\Console\Commands;
+
+use App\Models\User;
+use Illuminate\Console\Command;
+use Illuminate\Support\Facades\Cache;
+use Illuminate\Support\Str;
+
+class MagicLinkCommand extends Command
+{
+    /**
+     * The name and signature of the console command.
+     *
+     * @var string
+     */
+    protected $signature = 'trustlab:magic-link {email=owner@trustlab.com} {--ttl=15}';
+
+    /**
+     * The console command description.
+     *
+     * @var string
+     */
+    protected $description = 'Generate a temporary magic link for AI testing/debugging (bypasses Turnstile)';
+
+    /**
+     * Execute the console command.
+     */
+    public function handle()
+    {
+        $email = $this->argument('email');
+        $ttl = (int) $this->option('ttl');
+
+        $user = User::where('email', $email)->first();
+
+        if (!$user) {
+            $this->error("User with email {$email} not found.");
+            return 1;
+        }
+
+        $token = Str::random(64);
+        // Store in cache for 15 minutes (default)
+        Cache::put("magic_link_{$token}", $user->id, now()->addMinutes($ttl));
+
+        $baseUrl = config('app.url');
+        // The route will be defined in web.php
+        $magicUrl = "{$baseUrl}/auth/magic?token={$token}";
+
+        $this->info("Magic Link generated for {$user->first_name} ({$user->role})");
+        $this->info("URL: {$magicUrl}");
+        $this->info("Expires in: {$ttl} minutes");
+        $this->warn("CAUTION: This bypasses Turnstile and establishes a session. Use only for autonomous testing.");
+
+        return 0;
+    }
+}
diff --git a/app/Http/Controllers/MagicLinkController.php b/app/Http/Controllers/MagicLinkController.php
new file mode 100644
index 0000000..5a36c40
--- /dev/null
+++ b/app/Http/Controllers/MagicLinkController.php
@@ -0,0 +1,48 @@
+<?php
+
+namespace App\Http\Controllers;
+
+use App\Models\User;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Cache;
+
+class MagicLinkController extends Controller
+{
+    /**
+     * Handle Magic Link login
+     */
+    public function login(Request $request)
+    {
+        $token = $request->query('token');
+
+        if (!$token) {
+            return response()->json(['error' => 'Token missing'], 400);
+        }
+
+        $userId = Cache::get("magic_link_{$token}");
+
+        if (!$userId) {
+            return response()->json(['error' => 'Invalid or expired magic link'], 401);
+        }
+
+        $user = User::findOrFail($userId);
+
+        // Consume token to prevent replay attacks
+        Cache::forget("magic_link_{$token}");
+
+        // Log the user in to the web guard (sets trustlab_session cookie)
+        // Since SESSION_DOMAIN is .dyzulk.com, this cookie is shared with the frontend
+        Auth::guard('web')->login($user);
+
+        // Also create a Sanctum token for the frontend to use in headers
+        $authToken = $user->createToken('magic_auth_token')->plainTextToken;
+
+        // Redirect to Frontend Callback
+        // The frontend will handle the token and redirect to /dashboard
+        $frontendUrl = config('app.frontend_url') ?: 'https://trustlab.dyzulk.com';
+        $callbackUrl = "{$frontendUrl}/auth/callback?token={$authToken}";
+
+        return redirect($callbackUrl);
+    }
+}
diff --git a/routes/web.php b/routes/web.php
index da5496b..110a6bb 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -12,6 +12,9 @@ Route::post('/login', [AuthController::class, 'login']);
 Route::post('/logout', [AuthController::class, 'logout']);
 Route::post('/register', [AuthController::class, 'register']);
 
+use App\Http\Controllers\MagicLinkController;
+Route::get('/auth/magic', [MagicLinkController::class, 'login']);
+
 use App\Http\Controllers\Api\PasswordResetController;
 Route::post('/forgot-password', [PasswordResetController::class, 'sendResetLinkEmail']);
 Route::post('/reset-password', [PasswordResetController::class, 'resetPassword']);