User Signups via backend API for Passwordless SPA


I’m attempting to implement a (hopefully) basic passwordless auth flow. My architecture is:

  • A backend API
  • A frontend SPA
  • A landing/marketing page (static)

The backend API has two main responsibilities in my ideal setup:

  • Authorize requests for various resources using a JWT Bearer token
  • User signups via a management API create user call

I want the backend API to control registration so I can insert the right records into my database right after creating the user in auth0, and also have more fields in my registration form (how did you hear about us?, etc). This API is called from the landing/marketing site for that controlled signup experience.

The SPA is simpler and has the following responsibilities:

  • Redirects users to Auth0 for login
  • Handles calling APIs that need authentication with the access token obtained from Auth0

The landing site has no interaction with Auth0. It’s only IAM related responsibility is to:

  • Handle the user signup experience. Call to the backend API (unauthenticated) for user signup

Now in my Auth0 tenant, I have the following pieces in place:

  • A SPA application for my SPA
  • An M2M application for my API to call the user create management API
  • An API for my backend API to authorize requests from the SPA.

The issue I’m encountering is specifically the create user request that happens as part of my controlled user signup experience. My API can successfully authenticate with the management API as that M2M application and create users in the “email” connection. However that sends out a magic link immediately to the user for the M2M application and not for the desired SPA application. I do not want users to know anything about the M2M application or interact with it in any way. It’s meant for just the backend API to communicate with Auth0 management APIs for user management.

So that’s my question - how can I create a user from my backend API interacting with Auth0 via an M2M application and have it send out a magic link (or a code) for the SPA application instead of the M2M application?

My guess is that I’ve made a bad assumption and maybe shouldn’t be owning that signup experience from my API. But I haven’t found docs that convince me it’s a bad idea so I’m hoping someone here can help enlighten me.

Thanks so much for any assistance or tips you all can provide! I really appreciate the help. :slight_smile: