I’m implementing an authentication flow as follows using the passwordless api:
- User enters their email or phone number in the client app.
- This creates a request in the middleware which checks if the email is allowed using a third party api.
- If valid, call the Auth0 endpoint to login the user passwordlessStart
- Auth0 sends a magic password / OTP to the user.
- User enters the magic password / OTP in the interface. passwordlessVerify
- Auth0 returns an access token back to the client directly where the endpoint was called for login. parseHash
After the user is signed in. All user actions henceforth generate the following flow:
- User Acts, a request is sent to middleware with access_token and email / phone.
- Middleware calls Auth0 to verify the access token.
- Once verified, the actual request is performed to third party.
I’m not sure how to verify the access token in the middleware (it it’s valid) in the second step