How to Pass the Client IP to /passwordless/start

Problem statement

How to send the client IP address in a /passwordless/start request from a backend server on behalf of clients so that the backend server IP address is not used?


Use the following steps:

  • Use a regular web or m2m application. The client secret can be stored securely on the backend server and passed into the request.
  • On the application configuration in the Auth0 dashboard under Advanced Settings, ensure the setting Trust Token Endpoint IP Header is enabled in the OAuth tab.

In the /passwordless/start request, include the header auth0-forwarded-for containing the client IP. For example:

curl --header "auth0-forwarded-for: x.x.x.x" --request POST \
  --url 'https://DOMAIN/passwordless/start'; \
  --header 'content-type: application/json' \
  --data '{"client_id":"CLIENT_ID", "client_secret":"CLIENT_SECRET", "connection":"sms", "phone_number":"+44123456789", "send":"code", "authParams":{"scope": "openid"}}'

Related docs