I’m figuring out how to do login and signup without the user leaving my PHP-site. Is there any chance to simply talk to the API and do it without Lock widget or a hosted page?
It should be possible by leveraging Auth0.js v8 login
method and cross-origin authentication. You should review the cross-origin documentation to see if the characteristics of this type of authentication would be suitable for your scenario. I could not find any sample with cross-origin and Auth0.js as the ones I know about use Lock; in addition, the reference documentation for Auth0.js does not seem very complete with regards to this so I asked the documentation team to review this situation.
Another alternative would be to just submit the end-user credentials to the back-end and then from the back-end perform a resource owner password credentials grant in order to obtain the tokens and validate the credentials. You could then maintain a PHP session after having validated the credentials.