Problem statement
How to send the client IP address in a /passwordless/start request from a backend server on behalf of clients so that the backend server IP address is not used?
Solution
Use the following steps:
- Use a regular web or m2m application. The client secret can be stored securely on the backend server and passed into the request.
- On the application configuration in the Auth0 dashboard under Advanced Settings, ensure the setting Trust Token Endpoint IP Header is enabled in the OAuth tab.
In the /passwordless/start request, include the header auth0-forwarded-for containing the client IP. For example:
curl --header "auth0-forwarded-for: x.x.x.x" --request POST \
--url 'https://DOMAIN/passwordless/start'; \
--header 'content-type: application/json' \
--data '{"client_id":"CLIENT_ID", "client_secret":"CLIENT_SECRET", "connection":"sms", "phone_number":"+44123456789", "send":"code", "authParams":{"scope": "openid"}}'
Related docs