I want to update about this one.
If somebody else is implementing:
Universal login + passwordless + wants to pass extra values from his code to the login.
Indeed saving it on ** additionalSignUpFields** will not save it to “user_metadata” as written on the docs (because it is passwordless - I think you should update it on the docs).
But - there is a solution if all you want is to pass data (not displaying extra fields, just passing extra data).
Even though it is not saved to the user_metadata, inside a signin rule, you can look at the context variable. there inside context.request.params you can find every param you passed from your code when calling /authorize, and params you push to the options field when using Auth0LockPasswordless on the universal login.
From there you can save this data to the user_metadat, or into the id_token (so it will be retrieved when responding to user auth inside the id_token jwt).
It took me a while, can be cool if Auh0 can document it.