Passwordless login link results in 404 Error

Hi,
I’m currently developing a web app (vue.js) with auth0. I’m trying to get the passwordless login to work. The goal is that Sign-Ups are disabled and I can create new users via the management API and the users receive an e-mail with the the magic link.
The current workflow looks like this (all REST):

  1. Request an API-Token which has access to the management api via the /oauth/token endpoint
  2. create a new user with the received API-Token via the /api/v2/users endpoint
    —> everything works to this point. The user can visit our login page, enter their e-mail and receives a code to login on the login page. That works perfectly, but we want to call the /passwordless/start endpoint of the authentification api so that the user doesn’t have to visit the site, input his e-mail and type in a code. The user should get an e-mail right away with a passwordless-login-link when we create them via the management / auth api of auth0.

What I tried:
3. POST /passwordless/start with body:
{“client_id”:ID_OF_THE_SPA",
“client_secret”:“SECRET_OF_THE_SPA”,
“connection”:“email”,
email":"MAIL@MAIL.com”,
“send”:“link”
}
–> The user now should get an e-mail with the working magic link. The link looks like this:
https://COMPANYNAME.eu.auth0.com/passwordless/verify_redirect?scope=openid&response_type=token&redirect_uri=https://SPA_URL&verification_code=113634&connection=email&client_id=CLIENT_ID_SPA&email=MY_EMAIL

–> When I click the link it instantly redirects to this:
https://SPA_URL/#/error=unauthorized&error_description=Wrong%20email%20or%20verification%20code.
and the SPA shows a 404.

Any idea why this could happen? Is the workflow I described wrong or not achievable?

Hi @kevinReddo,

Welcome to the Community!

I think your general premise makes sense, but it looks like there are some issues here that need to be addressed.

A SPA should not be using a client secret. That is an issue. You can omit it when you are working with a SPA.

Are you calling the management API from your SPA? If you are, you need to make sure the token is very limited in scope, typically this is pre-configured, and you will not be able to get a management token that will do what you described.

There are plenty of ways to get around this, we just need to know more about what applications are making these requests. Also make sure the application you registered for your SPA has the application type set to Single Page Application. This will prevent your app from being accidentally granted insecure scopes for a client side application.