Help with Passwordless e-mail authentication (All and only of client_id, credential_type, username, otp, realm...)


I am following this blog on setting up my react app with a passwordless auth0 flow: Setup Passwordless Authentication with Auth0.

I am trying to get it working on http://localhost:3000 (base url) and have gotten as far as getting an OTP token and trying to authenticate the user (myself) with said token.

I keep running into the error: “Invalid request body. All and only of client_id, credential_type, username, otp, realm are required.”

Searching around, I see that it might be a CORS + 3rd party cookies issue but really cannot figure out what I have missed.

Here’s what I have done:

  • Allowed Callback URLs: /authorize
  • Allowed Logout URLs: /logout
  • Allowed Web Origins:
  • Allowed Origins (CORS):
  • Tried different browsers with 3rd party cookies disabled.
  • I even tried using ‘caddy’ to create a local https proxy for my base url and listed the https proxy in Application Settings.

I’m wondering if there is something obvious I missed or if this just isn’t supported anymore and I’m following an old blog post.

I’m on react v17.0.2.

Hey there!

Unfortunately we won’t be able to help you as you’re following a resource that is not maintained by Auth0 and we do have no knowledge about it but maybe someone from community will be able to help!

Get @konrad.sopala , thanks for getting back to me.

So I get my original instructions were a non-auth0 resource, but if I follow the Auth0 docs here: Auth0.js v9 Reference, I get the same result.

I initialize a webAuth with my client ID, domain, redirect URI, etc. Then start the passwordless process like so:

const variables = { email, connection: "email", send: "code" };
webAuth.passwordlessStart(variables, (err, res) => {
      if (err) {
      } else {

Once I get the code in my e-mail, try to complete the process like so:

return new Promise((resolve, reject) => {
      { email: email, connection: "email", verificationCode: otp },
      (err) => {
        if (err) {
        } else {

Every single time, my promise is rejected and the error from auth0 is printed to the console.

So regardless of if I my blog or the auth0 instructions, I get the same error.