Magic link with Authentication API, does it require the same browser?

The docs say " request and its response must take place in the same browser or the transaction will fail", but there’s not much details about how that works? Does it just work out of the box? That’s not the behavior I’m seeing.

I’m using the ruby API gem:

        redirect_uri: "",
        scope: "openid profile email"
This will send an email with a link that I can open in any browser.

To restrict it seems like you have to send `state` but that doesn't seem to get forwarded on the redirect, unless you set the response type to `code`:

response_type: “code”,
redirect_uri: “”,
scope: “openid profile email”,
state: password_less_state

The `authParams` description in the API docs is vague:

I'm trying this out on a modified version of the Rails sample app provided by Auth0. You can see my full code here:

Has anyone else seen this? Or can someone explain how magic link's same browser restriction works?