400 error when verifying Passwordless OTP SMS code w/ New Universal Login (Identifier First)

I am implementing Auth0’s Passwordless with New Universal Login. It works fine with email (connection=“email”).
However, when I change the connection to “sms”, I receive a 400 from the POST …/u/login/passwordless-sms-challenge?state=… endpoint when attempting to verify my OTP SMS code. I cannot find any documentation available on this passwordless-sms-challenge endpoint to troubleshoot this error.

Verbose Description of the flow:
I navigate to my app, running on localhost.

Network Traffic:
GET …/authorize?

GET /u/login/identifier?state=

I provide a phone number & press continue.

POST …/u/login/identifier?state=…

GET …/u/login/passwordless-sms-challenge?state=…

My cell phone receives an SMS OTP (using Twilio for SMS). I enter the SMS OTP into Auth0 UI & press Continue.

POST /u/login/passwordless-sms-challenge?state=

Hi @daniel19,

Welcome to the Auth0 Community!

Are you seeing any info about the error in your dashboard logs? Sometimes you can find a more descriptive error. Also, does the error contain any more info? Like a message stating the problem?

Hi @dan.woda ,

Thank you!

Here an example from our Auth0 logs for the OTP Verification Code failing issue:

  "date": "2023-03-22T18:47:15.267Z",
  "type": "fu",
  "description": "Wrong phone number or verification code.",
  "connection": "sms",
  "connection_id": "...",
  "client_id": "...",
  "client_name": "...",
  "ip": "...",
  "user_agent": "Chrome 111.0.0 / Mac OS X 10.15.7",
  "details": {
    "error": {
      "message": "Wrong phone number or verification code."
  "user_id": "",
  "user_name": "...",
  "strategy": "sms",
  "strategy_type": "passwordless",
  "log_id": "...",
  "_id": "...",
  "isMobile": false,
  "id": "..."

The UI says “Code Invalid” on the screen.

A second issue we have with testing this flow:
My phone number gets “You’ve reached the maximum number of attempts”. I disabled all of Auth0’s Brute Force Protection features, but I don’t know how to unlock my phone to re-test.
Others have this issue as well:
Email OTP code submission through proxy, “You’ve reached the maximum number of attempts. Please try to login again” - Auth0 Community


Could you please DM me a HAR file of the failed code request? Once we get this resolved we can investigate the second issue.

For the first issue, I had to manually append my country code in front of my phone # for the SMS to send (for example ‘1{myPhone#}’ would send an SMS OTP to my phone.

However, we discovered that it works if we append a ‘+’ in front of the country code.
So, ‘+1{myPhoneNumber}’ works (the OTP code successfully validates & we can login to our app).

We can’t roll this out of the box behavior out to production, so we will need to check on Twilio’s side to see what capabilities exist to automatically append this ‘+{countryCode}’ during ingress.

As a point of feedback, this detail would be a useful addition to Auth0’s documentation. I have seen a few forum posts around of people asking for documentation on the /passwordless-sms-challenge endpoint as well.

For the second issue, I disabled all of the brute force protections in the Auth0 panel. The next time my phone identity gets locked out, I will try the management API to see if it works & will report back.
Auth0 Management API v2

Thanks for inquiring.

1 Like

Thanks for the feedback and follow up.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.