To use the Embedded APIs in Regular Web Applications, make sure you enable the Passwordless OTP grant at Auth0 Dashboard > Applications > Applications in your application’s settings under Advanced Settings > Grant Types. Passwordless authentication for Regular Web Applications consists of two steps:
  1. Capture the user identifier in your application (the user’s email or phone number) and invoke the /passwordless/start endpoint to initiate the passwordless flow. The user will get an email, an SMS with a one-time-use code, or a magic link.
  2. If you did not send a magic link, prompt the user for the one-time-use code, and call the /oauth/token endpoint to get authentication tokens.
Note that when using magic links, you don’t need to call /oauth/token. The user will click the magic link and be redirected to the application’s callback URL. Below, we list a few code snippets that can be used to call these API endpoints for different scenarios. Send a one-time-use code via email 
curl --request POST \
  --url 'https://{yourDomain}/passwordless/start' \
  --header 'content-type: application/json' \
  --data '{"client_id": "{yourClientId}", "client_secret": "{yourClientSecret}", "connection": "email", "email": "{userEmail}","send": "code"}'
Send a magic link via email You need to specify send: link. 
curl --request POST \
  --url 'https://{yourDomain}/passwordless/start' \
  --header 'content-type: application/json' \
  --data '{"client_id": "{yourClientId}", "client_secret": "{yourClientSecret}", "connection": "email", "email": "{userEmail}","send": "link"}'
Send a one-time-use password via SMS 
curl --request POST \
  --url 'https://{yourDomain}/passwordless/start' \
  --header 'content-type: application/json' \
  --data '{"client_id": "{yourClientId}", "client_secret": "{yourClientSecret}", "connection": "sms", "phone_number": "{userPhoneNumber}","send": "code"}'
Authenticate an SMS user 
curl --request POST \
  --url 'https://{yourDomain}/oauth/token' \
  --header 'content-type: application/json' \
  --data '{"grant_type": "http://auth0.com/oauth/grant-type/passwordless/otp", "client_id": "{yourClientId}", "client_secret": "YOUR_CLIENT_SECRET", "username": "USER_PHONE_NUMBER", "otp": "code", "realm": "sms", "audience": "your-api-audience","scope": "openid profile email"}'
Authenticate an Email user 
curl --request POST \
  --url 'https://{yourDomain}/oauth/token' \
  --header 'content-type: application/json' \
  --data '{"grant_type": "http://auth0.com/oauth/grant-type/passwordless/otp", "client_id": "{yourClientId}", "client_secret": "{yourClientSecret}", "username": "{userPhoneNumber}", "otp": "code", "realm": "email", "audience": "your-api-audience", "scope": "openid profile email"}'
Authenticate a user through a magic link When you send a magic link, you don’t need to call an API to authenticate the user. Users will click the link and be redirected to the callback URL.

Setting the auth0-forwarded-for header for rate-limit purposes

The /passwordless/start endpoint has a rate limit of 50 requests per hour per IP. If you call the API from the server-side, your backend’s IP may easily hit these rate limits. To learn how to address this issue, read the Rate Limiting in Passwordless Endpoints section of Using Passwordless APIs.