Custom param in password less (OTP)

Hi Folks ,

We have a requirement of password less login for user. We have security requirements that every OTP should be linked to a ref code. Refcode and OTP will be sent to user via email/sms.
In order to successfully login, refcode and OTP both need to match.
I went through the api specs passwordless api & documentations , but cannot find any way to generate refcode on Auth0. Neither I can pass any custom fields to this api so that it can be used in email message body. Is there any way by which I can achieve this? This is major security requirements . Any help from community is appreciated .


Hi @Prabhat0123,

I’m not familiar with a ‘refcode’, and I’m not seeing any useful information come up when I search google for it.

Can you explain this concept a bit? What makes it different from the OTP?

Can you also provide a clear example of your required flow? It’s not clear where this fits in.

1 Like

Each otp we send to the customer has to be mapped to reference code (refCode). Reference code is to identify use case for which OTP is given. OTP given to user for a use case can only be used for that specific use case. For example OTP given for login can not be used for payment, or otp given for payment can be used for others usecase. We are maintaining a mapping of use case, refCode and userid on server side, on submit otp we have to verify this. We have a wrapper over Auth0 which does this checks. This refcode need to be sent to the user in email along with OTP. Email/SMS message will be like “Your one time password is {ref-code}-{OTP}”.

I can not find any way by which I can setup some custom field in email and provide value for this during passwordLess/start flow.

Prabhat Kumar

Hi @Prabhat0123,

Thanks for the added information. We don’t have a built in feature for this type of flow. From what I understand of your use case, we would typically use a combination of roles/permissions to enforce this.