Auth0-js webAuth.passwordlessStart is not compatible with auth0-spa-js

We’re using auth0-react at our application and found out a great way to customise passwordless user experience by creating our very custom login form where user can input their email (I’m reporting this issue at this repository because auth0-react is powered by auth0-spa-js) and receive login link without being redirected to auth0 to log in. For that we can use auth0-js and WebAuth class with passwordlessStart. It worked perfectly in the beginning, the code indeed sent login link to the email. The problem is that when I get redirected to the app after a successful login (by clicking the link at the email), I get isAuthenticated to be false but also I notice a hash URL with auth_token parameter #auth_token=1234. I never seen it before and my guess is that auth0-js and auth0-spa-js authentication flows are incompatible (auth0-spa-js handles ?code= query parameter instead of the hash parameter). At the same time when we use the regular passwordless authentication, it works perfectly.

What was the expected behavior?

Either of this:

  1. auth0-spa-js (including auth0-react) would accept URL credentials generated with passwordlessStart (the #auth_token= thing).
  2. auth0-spa-js should have similar function but I couldn’t find it.
  3. Find some workaround to make both libraries compatible: use auth0-js for log in, use auth0-spa-js (or auth0-react) to authorise. I tried to replace #auth_token=1234 by ?code=1234 and it didn’t help.


  1. Use auth0-js and WebAuth class with passwordlessStart to authenticate (standard documentation).
  2. Log in by clicking a link.
  3. Use auth0-spa-js (or auth0-react) to authorise. You’ll get isAuthenticated equal to false and #auth_token=1234 at URL