I get an "invalid state" error when I try to log in via a passwordless email code

I’m using the auth0-php sdk. I can log in without issue when it comes to the normal email/password method. But I get issues with passwordless logins. Here is my current set up in case anyone can help:

  1. I create an SdkConfiguration object with domain, clientId, clientSecret, redirectUri, and cookieSecret data. This gets returned as an Auth0 object which I refer to as $auth0.
  2. I can get the URL to the login page by simply doing $auth0->login(). This works fine.
  3. I also want to give users the option to log in with an email code so I have a separate button my page to do that. Here’s what I tried:

I get the user’s email from a form that they fill. After they hit the submit button, I take their email and call this:
$auth0->authentication()->emailPasswordlessStart($email, 'code');
However, this doesn’t automatically direct me to the Auth0 code verification page. So after this, I generate a state code using bin2hex(random_bytes(16)) and build a url string like this:

$url = 'https://' . $auth0_domain . '/authorize' .
                    '?response_type=code' .
                    '&client_id=' . $client_id .
                    '&redirect_uri=' . urlencode($redirect_uri) .
                    '&scope=openid%20profile%20email' .
                    '&connection=email' .
                    '&login_hint=' . urlencode($email) .
                    '&state=' . $state;

The problem with this though, I get two email verification codes. I found that BOTH “emailPasswordlessStart” I mentioned earlier and the URL (after visiting it) sends an email verification code. So I end up with two which might be messing up the state code. I decided to just comment out the “emailPasswordlessStart” line altogether. After I run this code, it takes me to the Auth0 login page and I get a verification email. I enter the code but it doesn’t log me in and says I have an “invalid state”. I’m confused because I’m checking the state I generate before sending the user to Auth0 and what it is during my callback after logging in, and it’s the same both times.

How can I fix this invalid state error?