Why am I seeing allow magiclink verify without session in my config?

When exporting our Auth0 Configuration I noticed the following new entry:

passwordless:
allow_magiclink_verify_without_session: true

According to Auth0’s own documentation magic links aren’t supported by the new universal login. Why is this showing in our config?

4 Likes

I am seeing the same and I can’t seem to find any configuration setting for it on the console:

tenant:
  ...
  universal_login:
    ...
    passwordless:
      allow_magiclink_verify_without_session: true

From what I can see, this field is a part of the tenant settings resource, even if it is not currently documented in the Management API Reference.

Since there is no mention of it anywhere in the official docs, it is hard to say what its true purpose is. However, this StackOverflow user seemed confident that it is related to a CSRF patch for the passwordless magic links.

Maybe the Auth0 team will update the docs eventually for us to know.