I'm all in when it comes to passwordless login. My list of essential passwords for all the things I need to do is way too large to remember anymore.

But be careful with using GET and query params. Remember even with HTTPS the URL containing the email address and token are visible all along the route and will certainly be captured and logged. Man in the middle is a serious concern here.

Also, when storing the email/token combination in the cache remember to encrypted them. Further checks should be carried out every time they are used. For example, is the token expired? I'd recommend keeping the token alive only while there is activity. Also, do the IP address and MAC address of the device's network interface match what was given during the signup/signin.

One way to think about these concerns is to reread your documentation and wherever the word "token" appears, replace it with the reading of "temporary password". When you do that, does it make you feel queasy about things? Does it suggest ways that bad actors could make malicious use of things?

Creating an authentication service is hard work. That's why I'm always on the lookout for ways to do it more easily. Sadly, simple usually doesn't equate to bulletproof.