In Passwordless is it possible to get access_token in the query string (?) instead of the fragment (#)?


When clicking on sign in link in the email sent by Passwordless I would like to get the returned data in the query string instead of the fragment.

I.e now I get

http: //my-domain-and-path # access_token=…

But would like to get

http: //my-domain-and-path ? access_token=…

This way I could verify the token directly instead of needing to scrape it and send it to back-end as xhr.

Thanks! :slight_smile:

From: javascript - Auth0 - Callback URL never called - Stack Overflow

The id_token and access_token are
returned on the hash fragment when
you’re using a response type of token.
This is aimed for browser-based
applications that as a consequence
have access to the URL fragment.

If your application is a traditional
server-side web application you should
be using the code response type so
that an authorization code is sent to
your server-side as part of the query
string. Then on the server-side you
can issue a request to exchange this
code for the actual tokens.

Yup, explicitly setting “responseType” to “code” when doing new auth0.WebAuth(...) solved it, thank you!