The Special Security token or Magic Token
Every approval e-mail that goes out contains a special security token, we call it magic token, that is a temporary, one-time password.
When a client clicks on the review content button in their email, the system authenticates the token (the token is already included in the link) and it logs the user into GAIN to review the content. So, the content is never actually public.
Once the user is logged in, the system immediately invalidates the magic token so no one else can use it again. Additionally, each token has an expiration, meaning it will automatically be invalidated if the client doesn't use it within a certain number of hours.
They can request another magic token to login at anytime but they cannot use a previous one.
What happens if someone receives unauthorized access to your client's e-mail account.
If you've ever requested to reset a password for any service on the internet you've seen that the system sends an e-mail to your inbox. This e-mail contains a link with a special token to reset the password, a scheme much like the magic token.
This means that pretty much every secure system used on the internet (including Google or Apple) requires that you keep your e-mail account secure, since anyone that gains access to your inbox can reset passwords for your services.
In this sense, the magic token authorization is just as secure as any password-based authorization system.