I started with the quickstart with the link option and converted it to use a code instead.
The app is a single page app using the latest auth0-js (version 9.6.1).
Oddly the call to passwordless/start succeeds and I can see the correct access control allow origin header there:
However, the call to passwordless/verify does not have the access control allow origin header:
I’d appreciate it if someone can confirm either that I’m doing something wrong or that this is broken on auth0’s end.