At this time if you need that an authentication session be established (for renewAuth) and you’re using API authorization or OIDC compliance then the available option is to go through the hosted login page which would imply the use of your Auth0 account domain. I’ve seen discussions around allowing the possibility to use customized domains for the hosted login page, but at this point I can’t provide you any definitive information about if/when/how will that be available.
Given your restrictions on the above the other alternative would be to maintain the input of user credentials in your application and still manage to establish a session. There’s an ongoing effort to support this scenario; again I won’t provide any timeline because we all know how software development is volatile, but I can let you know that it already progressed well beyond just being on paper.