Auth0’s passwordless login doesn’t actually eliminate passwords; it just shifts the authentication challenge to a one-time code delivered via email or SMS.
Let’s see it in action. Imagine a user alice@example.com wants to log in without a password.
- User Initiates Login: Alice visits your application and clicks "Log In with Email." She enters
alice@example.com. - Auth0 Generates and Sends Code: Your application backend calls Auth0’s
/passwordless/startAPI endpoint withemail: "alice@example.com"andconnection: "your-email-connection-name". Auth0 generates a unique, time-limited code (e.g.,123456) and emails it toalice@example.com. - User Enters Code: Alice receives the email, sees the code
123456, and enters it into your application’s verification form. - Auth0 Verifies Code: Your application backend calls Auth0’s
/oauth/tokenendpoint withgrant_type: "http://auth0.com/oauth/grant-type/passwordless/email-code",client_id: "YOUR_CLIENT_ID",client_secret: "YOUR_CLIENT_SECRET",username: "alice@example.com", andcode: "123456". - Auth0 Issues Tokens: If the code is valid and not expired, Auth0 returns an
access_tokenand anid_token, authenticating Alice.
This whole flow is managed by Auth0’s "Passwordless" authentication flows, which you configure within your Auth0 dashboard under "Authentication" -> "Passwordless." You’ll need to set up an "Email" connection and potentially an "SMS" connection if you want to support that channel. For email, you’ll likely use Auth0’s built-in email provider or configure an external SMTP server. For SMS, you’ll integrate with a provider like Twilio. The "Allowed Callback URLs" in your Auth0 Application settings are crucial; these are the URLs Auth0 will redirect the user back to after a successful authentication.
The core of passwordless login is the passwordless/start and the subsequent token exchange using the email-code or sms-code grant types. When you call passwordless/start, you’re essentially telling Auth0 to initiate the verification process for that user via the specified channel. Auth0 handles the secure generation, delivery, and validation of the one-time code. The token exchange is where Auth0 confirms the user possesses the device or email address by validating the code they provide.
The surprising part for many is that Auth0 still uses client secrets for the token exchange in this flow. While the user experience is passwordless, the application that initiates the login on behalf of the user still needs to authenticate itself to Auth0 to prove it’s a legitimate client requesting tokens. This is why you’ll find client_id and client_secret in the /oauth/token request for passwordless authentication. It’s a security measure to prevent unauthorized applications from requesting tokens for your users.
To implement this, you’ll need to:
- Enable Passwordless in Auth0: Go to "Authentication" -> "Passwordless" and toggle on "Email" and/or "SMS."
- Configure Connections: Set up your email provider (Auth0’s or external SMTP) and SMS provider (e.g., Twilio API Key and Secret) under "Authentication" -> "Database" and create a new connection specifically for passwordless, or use an existing one.
- Register Your Application: In Auth0, create or select your application under "Applications" -> "Applications." Ensure the "Allowed Callback URLs" are correctly set (e.g.,
http://localhost:3000/callback). - Client-Side Flow: Your frontend will capture the user’s email/phone number and trigger an API call to your backend.
- Backend Flow: Your backend will call Auth0’s
passwordless/startendpoint. Once the user provides the code, your backend will call Auth0’s/oauth/tokenendpoint with the appropriategrant_typeand credentials. - Handle Tokens: Your backend receives the
access_tokenandid_tokenfrom Auth0 and returns them to your frontend, which then stores them (e.g., in local storage or cookies) to manage the user’s session.
The passwordless/start endpoint can accept a send parameter. If you omit it, Auth0 defaults to sending an email. However, you can explicitly set send: "code" for email or send: "sms" to force SMS delivery if you have both configured and want to control the channel.
The next thing you’ll likely want to explore is how to customize the passwordless email or SMS messages Auth0 sends.