Auth0 Home Blog Docs

Password-realm grant type - 'Passwordless authentication is not allowed on this endpoint.'

Hello everyone,

I am trying to use ‘’ grant type in order to get access token for different connections that I have. I have two connections (sms, email) which I am using on one application.

I want to allow passwordless authentication for users so they receive one time code on email or mobile and use that code to later obtain access token. I have managed to do that (sending one time codes) but now I need to use Authentication API to obtain access token (/oauth/token). Because, as I mentioned I am using two connections (email, sms) I can’t use password grant because in that case I must setup ‘Default Directory’ to exact one. I have tried that and it works but as I said it then only checks one connection (email or mobile) but I want to use both of them. As I read from other posts on forums that should be possible by using ‘password-realm’ grant type.

When I try to send request

POST /oauth/token HTTP/1.1
cache-control: no-cache
Postman-Token: 6add44d8-1780-484d-9b8b-50dec0f1f6bc

use this type of grant I get following error:

    "error": "invalid_request",
    "error_description": "Passwordless authentication is not allowed on this endpoint."

I read that this grant type needs to be activated using Management API which I did but still I am getting this response. From Management API I get following for this client

    "tenant": "xxxxx",
    "global": false,
    "is_token_endpoint_ip_header_trusted": false,
    "name": "AuthServiceWebApp",
    "is_first_party": true,
    "oidc_conformant": false,
    "sso_disabled": false,
    "cross_origin_auth": false,
    "description": "",
    "logo_uri": "",
    "sso": false,
    "callbacks": [
    "allowed_logout_urls": [
    "allowed_clients": [
    "signing_keys": [
    "allowed_origins": [],
    "client_id": "oxxxx",
    "callback_url_template": false,
    "client_secret": "xxxx",
    "jwt_configuration": {
        "alg": "RS256",
        "lifetime_in_seconds": 36000,
        "secret_encoded": false
    "token_endpoint_auth_method": "client_secret_post",
    "app_type": "regular_web",
    "grant_types": [
    "web_origins": [
    "custom_login_page_on": true

Do you have any idea what I am missing here?

Thanks in advance!