We recently introduced a change that requires is to send client_secret
when starting the flow in confidential clients (eg: regular webapps as opposed to single page apps). This lets Auth0 authenticate that the API call was made from the right app.
For new tenants, the toggle to disable this behavior is not available.
- If you invoke
/passwordless/start
from a backend (regular web app), start sending the client secret in the body. - If you invoke it from a frontend (single page app), change the Auth0 application’s type to Single Page App. Specifically, the ‘Token Endpoint Authentication Method’ in the application’s settings should be set to ‘None’.
Let us know if you come across any issues.