Client Account linking with Passwordless SMS and Email, error "Invalid token (link_with)."

Hi there,

I’m working through an embedded implementation of a Passwordless authentication with Flutter.

The overall goal is to authenticate first with SMS and later within the user flow, we want to have a secondary authentication with email.

Both are Passwordless on the same Auth0 Application client.

Here is the current solution:


  1. User authenticates via SMS passwordless hitting the https://[domain]/passwordless/start end point

  2. Once the code comes through, I verify the token with the following call to the endpoint

This call includes defining the following:

  • audience: https://[doman]/api/v2/
  • scope: openid profile update:current_user_identities

This returns a JWT access token


  1. User authenticates via Email passwordless hitting https://[domain]/passwordless/start end point with the email configuration requesting code

  2. Submit the email code with the following endpoint:

This also includes the additional attributes:

  • audience: https://[doman]/api/v2/
  • scope: 'openid profile update:current_user_identities

Also returns a JWT access token

Link accounts

The goal is to link both SMS account as the primary and Email to be secondary account.

Call the following endpoint:
https://[domain]/api/v2/users/[primary Account user id]/identities

Header Bearer [primary account access token]

The body contains:
link_with: [secondary account access token]

I get the following error as a response
{"statusCode":400,"error":"Bad Request","message":"Invalid token (link_with).","errorCode":"invalid_body"}

I’m probably missing something really obvious, just wanted to get further clarity?


Heya @chris.jerochim!

This looks ok from what you are saying, how are you making these calls? Have you tried issuing the call with just cURL commands, manually providing the relevant tokens?

If you are still having issues doing it manually, could you please share the cURL command including tokens that you are using in the last step to me in a direct message?
There may be something wrong with the secondary token based on that error message.

1 Like