I want all third-party applications to be unable to sign up using my passwordless authentication flow. I support both sms and email. I want only my first-party application for the main platform be able to provide sign ups, since I have some custom flow where I require users to be created with both email and sms. I want third parties to be able to only login using email or phone number.
Hi @admin70,
Welcome back to the Auth0 Community and sorry for the late reply.
You can accomplish this by using Auth0 Actions. For instance you can check if that would be a signup case be using the logins_count method and you can query where the user might be trying to signup from using event.client.client_id and event.connection.name type. You can take a look at the Actions Triggers: post-login - Event Object. Then use the api.access.deny(reason) method.
Hope this helps the case, but others as well.
Thanks,
Remus