Unable to retrieve a refresh token using the passwordless link method

I’ve created a native application and defined the Allowed Callback URLs corresponding to my native app.
I’ve set the grant types to Refresh Token, Implicit and Passwordless OTP.
I’ve configured the passwordless connection and I am able to receive emails.

I am requesting a passwordless link using the passwordless/start api ( https://auth0.com/docs/api/authentication#get-code-or-link).

fetcher(`https://${AUTH0_DOMAIN}/passwordless/start`, {
  method: 'post',
  body: JSON.stringify({
    client_id: AUTH0_CLIENT_ID,
    connection: 'email',
    send: 'link',
    email: values.email,
    authParams: {
      scope: 'openid email profile offline_access'

I receive an email with the following example link (

After clicking the url, my native app opens and the deep link contains: xxx://xxx.auth0.com/ios/xxx/callback#access_token=xxx&scope=openid%20profile%20email%20offline_access&expires_in=7200&token_type=Bearer

Since this is a native application I would like to use refresh tokens as recommended.

if I use a code instead of a magic link I am able to get a refresh token using oauth/token api (https://auth0.com/docs/api/authentication#authenticate-user)

 fetcher(`https://${AUTH0_DOMAIN}/oauth/token`, {
  method: 'post',
  body: JSON.stringify({
    client_id: Config.AUTH0_CLIENT_ID,
    grant_type: 'http://auth0.com/oauth/grant-type/passwordless/otp',
    connection: 'email',
    realm: 'email',
    username: values.email,
    otp: values.code,
    scope: 'openid email profile offline_access',

This correctly returns me an access and refresh token. But this flow kills the whole usefulness of magic links since now codes need to copy/pasted manually.

1 Like

How did you get it to work with the OTP code? I’m having the same issue but with SMS instead, no refresh token is available.

This is the reply I got from auth0.

Hi There, You can use use refresh token flow if you are executing one of the following oauth2.0 flows.

https://auth0.com/docs/best-practices/token-best-practices#refresh-token-usagePasswordless flow is not part of Oauth2.0 grant flows. Hence, it is not supported.

As mentioned before, if you use Universal Login Flow and implement passwordless login via Hosted Login Page, you can create longer session for the user via refresh token. In that case, application will be executing Authorization Code Grant flow.

We have opted to use a code instead of a magic link and calling the /oauth/token endpoint to get a refresh token.

1 Like

Thanks for sharing that with the rest of community!

Thanks for the link! Flipping the Allow Offline Access switch in my API helped solve the issue. Now Auth0 response includes the refresh token. Perhaps setting the same for your API and also including an audience param could solve your issue aswell?