OTP received for SMS-based passwordless users created via the management API sometimes does not work

Problem statement

OTP received for SMS-based passwordless users created via the management API sometimes does not work.

Cause

  • When an SMS-based passwordless user is created via the management API, Auth0 sends the SMS before the user is created. If there is a delay in user creation then it’s possible that when the user inputs the received OTP code, the user does not exist and therefore they are informed that their OTP is incorrect.

Solution

The ideal solution is to set phone_verified to true during user creation which will prevent the SMS from being sent. You can then poll the Management API to confirm the user has been created and then manually send the OTP via /passwordless/start endpoint.