Passwordless can I send email link programatically

When I use the API to send the Passwordless email, users are getting the email but they are redirected to the login form:

POST {URL}/passwordless/start
Content-Type: application/json
{
“client_id”: “YOUR_CLIENT_ID”,
“client_secret”: “YOUR_CLIENT_SECRET”, // for web applications
“connection”: “email|sms”,
“email”: “USER_EMAIL”, //set for connection=email
“phone_number”: “USER_PHONE_NUMBER”, //set for connection=sms
“send”: “link|code”, //if left null defaults to link
“authParams”: { // any authentication parameters that you would like to add
“scope”: “openid”,
“state”: “YOUR_STATE”
}
}

I tried sending different payloads in the POST request.

Is it possible to send an email programatically from server side without user interaction and when users click the link they are logged in into the application?

At this moment the Passwordless is working only when users use the Lock (passwordless) template and click Send email button.

I see this in the documentation:
When using magic links from Universal Login, both the initial request and its response must take place in the same browser or the transaction will fail .

But I was wondering if is possible to send links without user interaction and get the same behavior we have as when users click the Send email button?

Hi @oscar.yepes.dev,

Welcome to the Auth0 Community!

Yes, what you describe appears feasible. I was able to send an start a passwordless link flow (send an email) from a cURL request and open it and login in an incognito window. Can you describe how your attempts have been failing?

Hi @dan.woda ,

First of all thank you for your quick response.

This is what I’m doing:

  1. Using POSTMAN or curl I make a POST request:
POST /passwordless/start
{
    "client_id": "MY_CLIENT_ID",
    "client_secret": "MY_SECRET",
    "connection": "email",
    "email": "email@email.com",
    "send": "link"
}
  1. I receive the email
  2. When I click the link in the email, I’m redirected to my FE app but @auth0/auth0-react the getAccessTokenSilently function is returning an error:
"errorMessage":"Login required"

The expected behavior is: when user clicks the link, he/she is automatically logged in into the app, which is what happens when the email is generated using the Passwordless lock form:
image

Additional note:
The email received when user submits the Passwordless form contains a link that is much larger than the email I receive when I use curl or POSTMAN.

Thanks for your help!

Can you post an example of the link you are receiving in each situation. (you can obscure sensitive info)

Of course.

Link received when user submits the Passwordless Lock form:
https://{APP_URL}/passwordless/verify_redirect?scope=openid%20profile%20email&response_type=code&redirect_uri={REDIRECT_URI}&state={STATE}&nonce={NONCE}&response_mode=query&_intstate=deprecated&_csrf={CSRF}&audience={AUDIENCE}&code_challenge_method=S256&code_challenge={CODE_CHALLENGE}&auth_0_client={AUTH0_CLIENT}&protocol=oauth2&verification_code={VERIFICATION_CODE}&connection=email&client_id={CLIENT_ID}&email=test@test.com

Link received when I use CURL:
https://{APP_URL}/passwordless/verify_redirect?scope=openid&response_type=token&redirect_uri={REDIRECT_URI}&verification_code=702522&connection=email&client_id={CLIENT_ID}&email=test@test.com

The POST request I’m doing with CURL is:
curl -d '{ "client_id": "{CLIENT_ID}", "client_secret": "{CLIENT_SECRET}", "connection": "email", "email": "test@test.com", "send": "link" }' -H "Content-Type: application/json" -X POST {APP_URL}/passwordless/start

Do you think I’m sending the wrong payload when I use CURL?

Great, thanks.

Could you please create a HAR file of the transaction and DM it to me?

@dan.woda The login does not work on incognito not even my normal login form. I can login in non incognito mode, will it work if I send you the HAR file using non incognito mode?

Sure, whatever is causing the error should be helpful.

@dan.woda According to the API documentation the endpoint to generate the email must be used in the client side:

This endpoint is designed to be called from the client-side, and is subject to rate limits.

So I was wondering how did you make the flow I described in the first question of this thread work using CURL?