The api documentation states that the passwordless send code is meant to be executed client side since there is a rate limit on requests per IP. Does this also include authentication api calls to verify a code.
In other words, is it okay for me to let the client request a passwordless email code but then have the client send the code to our backend and then make a verify call from there?
Is there really any extra security in doing this anyhow?
Verify is a redirect endpoint, so it is intended to be executed via the browser as well. The response will be a 302 to your redirect_uri when executed on the backend.
If you want to validate the code from your backend, then, unfortunately, the only way to do that is using the deprecated RO endpoint which must be requested via a support ticket to get enabled for your tenant.
There is no additional security in calling verify code from your backend. It is perfectly safe to call verify from your universal login page. That is the recommended approach for passwordless. Redirect using /authorize, then from the login page that you configure in Auth0, call /passwordless/start, followed by /passwordless/verify.