Hi,
Thanks for the investigation. Unfortunately, our app type is SPA, so if i’m reading you correctly, we do not need a client_secret and should not be bound to the restriction of the /passwordless/start endpoint.
So we still need to figure out why auth0 cannot authenticate that the call is made on behalf of the application.
I’m out of a solution 
.
Any other ideas? cc @konrad.sopala @dan.woda