Passwordless with code option fails with CORS

I started with the quickstart with the link option and converted it to use a code instead.

The app is a single page app using the latest auth0-js (version 9.6.1).

Oddly the call to passwordless/start succeeds and I can see the correct access control allow origin header there:


However, the call to passwordless/verify does not have the access control allow origin header:

I’d appreciate it if someone can confirm either that I’m doing something wrong or that this is broken on auth0’s end.


:wave: @kyle.reed curious which quickstart are you referring to?

Apologies I hadn’t finished my message - I shall continue here.

Can you ensure you have included your application’s domain URLs in the Allowed Web Origins and Allowed Origins (CORS) fields? Are you using passwordlessVerify() with hosted pages? If so, we should change that method call to use passwordlessLogin() instead.

Re: Quickstart: I stated with the Vue.js passwordless quickstart.

I’m not using hosted pages. The auth-js documentation doesn’t say that this is required.

I’m also not seeing passwordlesslogin here: JSDoc: Global

Re: Allowed Web Origins, yes absolutely. I don’t think the passwordless/start call would have worked without those settings.

Anyway, I’ve already moved on to another solution now. I couldn’t wait.

Sorry to hear that Kyle. I look to work with our team to see what we can do about the issue and what we can improve in our documentation.