Passwordless embededd auth with custom UI (would this work?)


We are trying to build passwordless authentication (basically confirm the phone number of a user), with a custom UI. We’d like to keep the look & feel consistent with the rest of the app.

It looks like we have 2 choices:

A) Using universal login through Dashboard → Branding → Universal Login → Login → Lock (passwordless). However we need more customization, than primary/secondary colors.

Is it possible with universal login + passwordless (lock.js)?

B) Using the APIs directly, (/passwordless/start and /oauth/token described here: Authentication API Explorer).

We wouldn’t like to call these APIs from web client code (js), since both client id and client secret has to be included in these requests.

Our idea here was to make auth part of our server that handles the rest of the business logic, and the flow would look something like this:

Does this look like a good idea? Do you see any possible vulnerabilities with this approach? Maybe something else we didn’t think of?

Thank you!