diff --git a/app/controllers/api/internal/application_controller.rb b/app/controllers/api/internal/application_controller.rb
new file mode 100644
index 0000000..043cc8b
--- /dev/null
+++ b/app/controllers/api/internal/application_controller.rb
@@ -0,0 +1,20 @@
+module Api
+  module Internal
+    class ApplicationController < ActionController::API
+      include ActionController::HttpAuthentication::Token::ControllerMethods
+
+      before_action :authenticate!
+
+      private
+
+      def authenticate!
+        res = authenticate_with_http_token do |token, _|
+          ENV["INTERNAL_API_KEYS"]&.split(",")&.include?(token)
+        end
+        unless res
+          redirect_to "https://www.youtube.com/watch?v=dQw4w9WgXcQ", allow_other_host: true
+        end
+      end
+    end
+  end
+end
diff --git a/app/controllers/api/internal/magic_links_controller.rb b/app/controllers/api/internal/magic_links_controller.rb
new file mode 100644
index 0000000..d431023
--- /dev/null
+++ b/app/controllers/api/internal/magic_links_controller.rb
@@ -0,0 +1,45 @@
+module Api
+  module Internal
+    class MagicLinksController < ApplicationController
+      def create
+        slack_uid = params[:id]
+        email = params[:email]
+
+        unless slack_uid.present?
+          return render json: {
+            error: "gotta provide an ID, buddy..."
+          }, status: 400
+        end
+
+        unless email.present?
+          return render json: {
+            error: "weird things happen without an email...,,"
+          }, status: 400
+        end
+
+        existing_user = true
+
+        user = User.find_or_create_by!(slack_uid:) do |u|
+          existing_user = false
+          u.email_addresses.build(email:)
+        end
+
+        sign_in_token = user.sign_in_tokens.create!(
+          magic_link_params.merge(
+            auth_type: :program_magic_link,
+            expires_at: Time.now + 5.minutes
+          )
+        )
+
+        render json: {
+          magic_link: auth_token_url(sign_in_token.token),
+          existing_user:
+        }
+      end
+
+      def magic_link_params
+        params.permit(:continue_param)
+      end
+    end
+  end
+end
diff --git a/app/models/sign_in_token.rb b/app/models/sign_in_token.rb
index 9fd746c..a3b42ba 100644
--- a/app/models/sign_in_token.rb
+++ b/app/models/sign_in_token.rb
@@ -3,7 +3,8 @@ class SignInToken < ApplicationRecord
 
   enum :auth_type, {
     email: 0,
-    slack: 1
+    slack: 1,
+    program_magic_link: 2
   }
 
   validates :token, presence: true, uniqueness: true
diff --git a/config/routes.rb b/config/routes.rb
index ae89bfe..cd968d1 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -141,6 +141,10 @@ Rails.application.routes.draw do
         get "/users/current/stats/last_7_days", to: "hackatime#stats_last_7_days"
       end
     end
+
+    namespace :internal do
+      post "/can_i_have_a_magic_link_for/:id", to: "magic_links#create"
+    end
   end
 
   resources :scrapyard_leaderboards, only: [ :index, :show ]