Create users in passwordless connection from API using code instead of magic link

We’re trying to integrate Auth0 in our clients application. The application has a manual OTP login, so we’re trying to swap that for the Auth0 Passwordless login as that makes the transition simple for the enduser.

Now for new users we’ve been having problems creating the new user using the endpoint /api/v2/users, we create the user successfully but the user always receives an email with a magic link that doesn’t work. This happens because the user is created from our API in the backend (since we need to create the user in our own database as well).

What I’m looking for is a way to create the user, but instead of sending them a magic link, send them a OTP code. We tried creating the user using the /passwordless/start endpoint and it generates the code, but the user is not created in the Auth0 dashboard so we cannot update the user with the custom claims that we need to add to their token. Even worse when I try to validate the received code in the oauth/token endpoint, we get a 403 error saying our machine-to-machine client is not allowed OTP authentication.

Can someone help me? I’ve been scrolling through documentation for a few weeks now, and I just can’t seem to find a way to integrate this the way we need. Thank you in advance for any insight that you can provide.

Hi there @marx.guimaraes ,

Thank you for sharing - maybe there is some misconception creeping in :slight_smile:

I will share the steps to successfully create a user who belongs to a passwordless connection and authenticate them against this connection using a one-time password code.

  1. Set a Passwordless email connection in your Auth0 tenant.
    Authentication -> Passwordless->email
  2. Enable the Passwordless connection to the relevant application in your Auth0 tenant (disclaimer: Machine-to-Machie applications don’t work with passwordless; the only grant available for M2M is client credentials exchange where the authorization happens outside of a user context).
    Applications -> your application (web app/ SPA/ native as you can log in to these app types in a user context) -> Connections -> Passwordless email
  3. Create a user via the Management API call. This is optional, though, unless you disable the sign-up on step 1.

And finally:

4a. Initiate the passwordless login for a user with this Authentication API call. In this doc, there are a few disclaimers for the endpoint; among them, how to verify the OPT provided by the user.
or
4b. An end user can simply go with the Universal Login Page (Auth0 hosted Login screens) flow once the passwordless connection is enabled for the client application. To initiate the login flow for the client application in a user context, look at these /authorize endpoints.

After reading through it, can your use case be implemented with Auth0’s passwordless connection? Do you have any thoughts or questions?

Hi @marcelina.barycka thanks for your reply. I understand this, unfortunately for us it is necessary to create the user before the login because like I said we also create the user in our own database and we need to add claims to the user’s token for them to be able to use our endpoints later on.

I’ve done all of the steps you mentioned, but when I create the user through the Management API call, the user gets this annoying little email with a magic link that I can’t seem to able to turn off. And the problem is that the link doesn’t work either so everytime someone signsup to our app, they receive this weird email that doesn’t work, and they still need to request a code to be able to login. That makes no sense, how do I disable this email?

Hmmm… :thinking: I wanted to reproduce, so I created a user (successfully) via the Management API and did not get any ‘welcome’ email, most likely because it got filtered out in my inbox (since I use Auth0’s email provider).

But, looking into our doc, you should be free from the welcome email if you set the 'email_verified: true" on the call:

Does this work for you?

1 Like

Hey @marcelina.barycka that worked. Oh my goodness thank you so much! A quick question, does that also work for phone numbers if I send phone_verified: true in the request?

Ahh, good to hear @marx.guimaraes!

If you specify phone_verified: true and connection: sms in the create request, the user shouldn’t receive a welcome SMS.

Ref.

1 Like