diff --git a/.env.development b/.env.development
index 928e6ff..c5f9a92 100644
--- a/.env.development
+++ b/.env.development
@@ -1,32 +1 @@
-
-SERVER_APPLICATION=nixcn-cms
-SERVER_ADDRESS=:8000
-SERVER_EXTERNAL_URL=http://test.sne.moe:8080
-SERVER_DEBUG_MODE=true
-SERVER_FILE_LOGGER=false
-
-DATABASE_TYPE=postgres
-DATABASE_HOST=localhost:5432
-DATABASE_NAME=postgres
-DATABASE_USERNAME=postgres
-DATABASE_PASSWORD=postgres
-
-CACHE_HOSTS=localhost:6379
-CACHE_MASTER=
-CACHE_USERNAME=
-CACHE_PASSWORD=
-CACHE_DB=0
-
-SEARCH_HOST=localhost
-SEARCH_API_KEY=
-
-EMAIL_RESEND_API_KEY=re_BMJaPVVB_kgdf1Go7n3dWVywp6hp4WmSA
-EMAIL_FROM=NixCN CMS Email Verify <nixcn@violet.sne.moe>
-
-SECRETS_JWT_SECRET=6Wd5xkDkF4XX5q2Ckq6TY6WX
-SECRETS_TURNSTILE_SECRET=0x4AAAAAACI5pgVONOZ0rzyAYsdUcoOBF8w
-
-TTL_MAGIC_LINK_TTL=10m
-TTL_ACCESS_TTL=15s
-TTL_REFRESH_TTL=168h
-TTL_CHECKIN_COSE_TTL=10m
+TZ=Asia/Shanghai
diff --git a/config.default.yaml b/config.default.yaml
index aa8edd1..a721c83 100644
--- a/config.default.yaml
+++ b/config.default.yaml
@@ -28,5 +28,5 @@ secrets:
 ttl:
     magic_link_ttl: 10m
     jwt_ttl: 15s
-    refresh_ttl: 7d
-    checkin_code_ttl: 5m
+    refresh_ttl: 168h
+    checkin_code_ttl: 10m
diff --git a/config/types.go b/config/types.go
index 3e68154..efc768a 100644
--- a/config/types.go
+++ b/config/types.go
@@ -13,9 +13,9 @@ type config struct {
 type server struct {
 	Application string `yaml:"application"`
 	Address     string `yaml:"address"`
+	ExternalUrl string `yaml:"external_url"`
 	DebugMode   string `yaml:"debug_mode"`
 	FileLogger  string `yaml:"file_logger"`
-	JwtSecret   string `yaml:"jwt_secret"`
 }
 
 type database struct {
diff --git a/devenv.nix b/devenv.nix
index ccf5215..7932142 100644
--- a/devenv.nix
+++ b/devenv.nix
@@ -8,6 +8,7 @@
   packages = [
     pkgs.git
     pkgs.just
+    pkgs.watchexec
   ];
 
   dotenv = {
@@ -32,11 +33,7 @@
       exec = "bun run dev";
       cwd = "./client";
     };
-    backend.exec = "just backend";
-  };
-
-  tasks = {
-    "backend:build".exec = "just clean && just build";
+    backend.exec = "just dev-back";
   };
 
   services = {
diff --git a/justfile b/justfile
index 0be89d1..99ca3fc 100644
--- a/justfile
+++ b/justfile
@@ -34,5 +34,8 @@ run-back:
 test-back:
     cd {{ output_dir }} && CONFIG_PATH={{ output_dir }} GO_ENV=test go test -C .. ./...
 
+dev-back: clean
+    watchexec -r -e go,yaml,tpl -i '.devenv/**' -i '.direnv/**' -i 'client/**' -i 'vendor/**' 'go build -o {{ join(output_dir, "nixcn-cms") }} . && cd {{ output_dir }} && CONFIG_PATH={{ output_dir }} {{ exec_path }}'
+
 dev:
     devenv up --verbose
diff --git a/pkgs/magiclink/magiclink.go b/pkgs/authcode/authcode.go
similarity index 85%
rename from pkgs/magiclink/magiclink.go
rename to pkgs/authcode/authcode.go
index dc394c8..f41543b 100644
--- a/pkgs/magiclink/magiclink.go
+++ b/pkgs/authcode/authcode.go
@@ -1,4 +1,4 @@
-package magiclink
+package authcode
 
 import (
 	"crypto/rand"
@@ -19,7 +19,7 @@ var (
 )
 
 // Generate magic token
-func NewMagicToken(email string) (string, error) {
+func NewAuthCode(email string) (string, error) {
 	b := make([]byte, 32)
 	if _, err := rand.Read(b); err != nil {
 		return "", err
@@ -36,7 +36,7 @@ func NewMagicToken(email string) (string, error) {
 }
 
 // Verify magic token
-func VerifyMagicToken(token string) (string, bool) {
+func VerifyAuthCode(token string) (string, bool) {
 	val, ok := store.Load(token)
 	if !ok {
 		return "", false
diff --git a/service/auth/handler.go b/service/auth/handler.go
index 1d875be..b28293c 100644
--- a/service/auth/handler.go
+++ b/service/auth/handler.go
@@ -3,6 +3,8 @@ package auth
 import "github.com/gin-gonic/gin"
 
 func Handler(r *gin.RouterGroup) {
-	r.POST("/magic", RequestMagicLink)
+	r.GET("/redirect", Redirect)
+	r.POST("/magic", Magic)
 	r.POST("/refresh", Refresh)
+	r.POST("/token", Token)
 }
diff --git a/service/auth/magic.go b/service/auth/magic.go
index ffbcbf8..e11bb33 100644
--- a/service/auth/magic.go
+++ b/service/auth/magic.go
@@ -3,8 +3,8 @@ package auth
 import (
 	"nixcn-cms/data"
 	"nixcn-cms/internal/cryptography"
+	"nixcn-cms/pkgs/authcode"
 	"nixcn-cms/pkgs/email"
-	"nixcn-cms/pkgs/magiclink"
 	"nixcn-cms/pkgs/turnstile"
 
 	"github.com/google/uuid"
@@ -15,14 +15,17 @@ import (
 	"github.com/spf13/viper"
 )
 
-type MagicLinkRequest struct {
-	Email          string `json:"email" binding:"required,email"`
-	TurnstileToken string `json:"turnstile_token" binding:"required"`
+type MagicRequest struct {
+	ClientId       string `json:"client_id"`
+	RedirectUri    string `json:"redirect_uri"`
+	State          string `json:"state"`
+	Email          string `json:"email"`
+	TurnstileToken string `json:"turnstile_token"`
 }
 
-func RequestMagicLink(c *gin.Context) {
+func Magic(c *gin.Context) {
 	// Parse request
-	var req MagicLinkRequest
+	var req MagicRequest
 	if err := c.ShouldBindJSON(&req); err != nil {
 		c.JSON(400, gin.H{"error": "invalid request"})
 		return
@@ -35,18 +38,20 @@ func RequestMagicLink(c *gin.Context) {
 		return
 	}
 
-	// Generate magic token
-	token, err := magiclink.NewMagicToken(req.Email)
+	code, err := authcode.NewAuthCode(req.Email)
 	if err != nil {
-		c.JSON(500, gin.H{"error": "internal error"})
-		return
+		c.JSON(500, gin.H{"status": "code gen failed"})
 	}
 
-	link := viper.GetString("server.external_url") + "/login?ticket=" + token
+	uri := viper.GetString("server.external_url") +
+		"/api/v1/auth/redirect?" +
+		"code=" + code +
+		"&redirect_uri" + req.RedirectUri +
+		"&state" + req.State
 
 	debugMode := viper.GetString("server.debug_mode")
 	if debugMode == "true" {
-		log.Info("Magic link for " + req.Email + " : " + link)
+		log.Info("Magic link for " + req.Email + " : " + uri)
 	} else {
 		// Send email using resend
 		resend, err := email.NewResendClient()
@@ -58,7 +63,7 @@ func RequestMagicLink(c *gin.Context) {
 		resend.Send(
 			req.Email,
 			"NixCN CMS Email Verify",
-			"<p>Click the link below to verify your email. This link will expire in 10 minutes.</p><a href="+link+">"+link+"</a>",
+			"<p>Click the link below to verify your email. This link will expire in 10 minutes.</p><a href="+uri+">"+uri+"</a>",
 		)
 	}
 
@@ -74,7 +79,7 @@ func VerifyMagicLink(c *gin.Context) {
 	}
 
 	// Verify email token
-	email, ok := magiclink.VerifyMagicToken(magicToken)
+	email, ok := authcode.VerifyAuthCode(magicToken)
 	if !ok {
 		c.JSON(401, gin.H{"error": "invalid or expired token"})
 		return
diff --git a/service/auth/redirect.go b/service/auth/redirect.go
index 8832b06..5f7a1fc 100644
--- a/service/auth/redirect.go
+++ b/service/auth/redirect.go
@@ -1 +1,7 @@
 package auth
+
+import "github.com/gin-gonic/gin"
+
+func Redirect(c *gin.Context) {
+
+}
diff --git a/service/auth/token.go b/service/auth/token.go
index 8832b06..fb0fd54 100644
--- a/service/auth/token.go
+++ b/service/auth/token.go
@@ -1 +1,7 @@
 package auth
+
+import "github.com/gin-gonic/gin"
+
+func Token(c *gin.Context) {
+
+}