I am trying to implement the OTP authentication flow with SMS using Auth0 (Passwordless Connections with SMS using Twillio).
We have a mobile app, an API, a database and we use Auth0.
- The user enters a phone number.
- Does the client send directly the phone number to Auth0?
- Or Does the client send the phone number to the API which calls Auth0 (Twillio)?
- The user receives a code through SMS
- Does the client send the code to Auth0?
- Or Does the client send the code to the API which then sends it to Auth0?
- The user enters the code and receives an access_token, an id_token and a refresh_token
- Does Auth0 talk directly to the API and the client separately?
- Should the client receives these tokens and send it to the back end?
- Or Should the API receives these directly and send back to the client only the id_token?
- the user accesses the resource in the database.
- Does the id_tokem, access_token and refresh_token need to be saved in the database?
These are a few questions I have but I am more confused about the general authentication flow with OTP.
I also asked the question on stackoverflow: