Cannot get magic link test email

Hey I am trying to add magic links to my app. But i’m having trouble getting a test magic link sent to my email.

In the ‘settings’ tab I’ve turned on “enable signups” and in the “applications” tab, i’ve selected my only single page app. Then I set a recipient and clicked send. it shows a small toast in the top right saying “Email sent successfully! Check your inbox.”. But i never receive it? I’ve tried toggling between code vs link.

I’ve also checked my spam filters, bin etc. Nothing. Is there something wrong on auth0’s side ?

edit: not sure if this is relevant. but im using the ‘classic login’, not universal login

Hi @truescope,

Welcome back to the Auth0 Community!

The reason why you have not received the email is because Passwordless Connections do not work when using the Classic Login, so Universal Login should be used.

I would recommend checking out our documentation on Passwordless Authentication with Email.

Another crucial step would also be configuring an External SMTP Email Providers since Auth0’s built-in email provider is designed solely for testing purposes and does not support customization of email templates.

Kind regards,

Remus

Hey @remus.ivan thanks for the response. I’ve swapped across to universal login and disabled all custom login pages (as we had some custom html, which is why we were using classic).

I still cannot get an email (even though its saying it sent).

I’ve swapped across to using the management api, sending a POST:

import axios from 'axios';
try {
	const { data } = await axios.post(
		'https://REDACTED/passwordless/start',
		{
			client_id: 'REDACTED',
			client_secret: 'REDACTED',
			email: 'REDACTED', (an existing email account)
			connection: 'email',
			send: 'link'
		},
		{
			headers: {
				Accept: 'application/json',
				'Content-Type': 'application/json'
			}
		}
	);
	console.log('response', data);
} catch (e) {
	console.error('error', e);
}

and this returns

response: {
    "_id": "REDACTED",
    "email": "REDACTED",
    "email_verified": false
}

this response looks like it worked… but i never receive an email ??? (definitely still not in spam/junk or bin).

is there some way you can check my tenant to ensure its configured properly? I cannot see where this is going wrong.

edit: if i use an email address that DOESNT exist in my app, see this error response:

{
  error: 'bad.connection',
  error_description: 'Public signup is disabled'
}

which implies it is doing something… but the email is just never arriving

edit 1:

i’ve also tried removing my custom email provider, leaving it to auth0 to send the email. still not working :confused:

edit 2:

been trying to get this working for hours. I’ve even tried a simple http request, which again, looks like it works, but no email arrives?

is anyone able to assist with this ?

I’ve found even weirder isssues.

I have user accounts in my tenant

  • bob@[my email].com
  • bob+01@[my email].com
  • bob+02@[my email].com

I can log into my app with any of these 3 accounts. they are 100% identical.

When i send a passwordless/start request to bob and bob+01, i get a http response implying it worked fine (but still no email):

{
  "_id": "[redacted]",
  "email": "bob+01@[my email].com",
  "email_verified": false
}

but when i send an email to bob+02, i get this response, implying the account DOESNT EXIST!? but it absolutely does and works completely fine in my app:


{
  "error": "bad.connection",
  "error_description": "Public signup is disabled"
}

why does it work fine for 2, but not 3? all 3 are existing accounts

Hi @truescope and sorry for the late reply!

There are a few points that have to be concluded in order for your email-passwordless connection to function properly.

Firstly, the "error": "bad.connection","error_description": "Public signup is disabled" happens when using the /passwordless/start authentication API endpoint, along with the Disable Sign Ups option enabled for your passwordless connection. The response when attempting to signup a new user will look like a successful attempt and prompt for the OTP code, but the code will never be sent. This happens because the user was not yet created within the email database connection.

Also our documentation on Passwordless Connections Best Practices mentions that:

When Disable Sign Ups is enabled, your application may become vulnerable to user enumeration attacks. Auth0 recommends that you do not enable this setting to ensure the maximum security of your application and its users.

After checking your the tenant logs, I believe the reason why the emails are never received by users who are already registered within the email passwordless connection is because the From: email address was never verified when creating the connection in the first place. As a reference for Auth0’s built in email provider you can check out this Knowledge Base Article, otherwise please make sure that the email address used in the From: field is a verified email address in your Custom Email Provider Identity.

As a summary, users coming from separate database connections are treated as distinct users( including username-password and passwordless ), so I would recommend making sure that users are created via the specific connection ( e.g. passwordless-email ), but also to generally leave the Disable Signups option off for security concerns.

Please let me know how this goes and if you have further questions!

Thank you,

Remus

thanks Remus, you were correct. the ‘from’ email address was coming from the wrong domain

noreply@dev.sample.com

vs

noreply@sample.com

I was confused because the errors weren’t really clear/wasnt sure what was going on (but the REST responses indicated everything was fine).

it appears to be sending emails through now. and i can follow them through. although, the login page seems to quickly show an error in the url parameters:

“you’ve reached the maximum number of attempts. Please try to login again”

and then quickly redirects to the regular login form, requiring email/password.

Wondering if i should avoid hitting the passwordless/start api url too frequently?

Hi @truescope,

I’m glad that it works now and also understand the difficulty in managing the errors, since as you have mentioned as well the description is not straight forward and could be misleading.

The passwordless/start endpoint is subject to authentication api rate limits, especially coming from the same Ip address, currently being 50 requests per IP address/hour, so it should definitely not be called too often.

To increase chances of higher rate limits, the/passwordless/start endpoint should be called with the Client Secret, from a regular web application, and the authentication method in the Credentials tab should be set to any option other than None, since setting None indicates that the app is public.

I hope this helps!

Best regards,

Remus