Hi @benjaminn -
Thank you for answering my questions and sending over the HAR file as well as your Tenant name. After further investigation, I was able to find out that Auth0 is restricting the use of the /passwordless/start endpoint from confidential applications when Auth0 cannot authenticate that the call is made on behalf of the application.
OAuth uses the term ‘confidential’ for applications that can store secrets. In Auth0, those are 'Regular Web Applications’, which serve web pages from a backend app. Single Page Applications and Native Applications are considered ‘public’ applications, and are not affected by this change.
Can you please check the application type for this passwordless login function, if it is “Regular Web Application”, the client secret is required, if it is “Single Page Application” then the client secret is not required. As you can see in the API parameter description:
“ client_secret: REQUIRED The client_secret of your application, required for Regular Web Applications. ” (Authentication API Explorer)
If your application type is SPA, then as mentioned before: Single Page Applications and Native Applications are considered ‘public’ applications, and are not affected by this change.
If you are using Regular Web Application, and if you are calling the /passwordless/start endpoint from a page using JavaScript (e.g. auth0.js on the page) from Regular Web Applications, this will not be possible, as you cannot specify a client secret in a call made using JavaScript. If this is currently the case for your application, you will need to change your applications so that /passwordless/start is called from the backend of your web application, rather than from the frontend.
Details please see:
https://auth0.com/docs/migrations/guides/passwordless-start
Hope this helps and please let me know if you have any other questions/concerns.