Skip to content

First Draft Passwordless Auth on DB Connections with Authentication API#1497

Open
avanscoy wants to merge 2 commits into
mainfrom
fix/docs-5547-passwordless-db-update
Open

First Draft Passwordless Auth on DB Connections with Authentication API#1497
avanscoy wants to merge 2 commits into
mainfrom
fix/docs-5547-passwordless-db-update

Conversation

@avanscoy

@avanscoy avanscoy commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Description

API-based Passwordless Authentication on Database Connections is now available. This doc set contains two new pages and updates the existing article to account for the implicit signup and login capabilities.

References

Testing

Checklist

  • I've read and followed CONTRIBUTING.md.
  • I've tested the site build for this change locally.
  • I've made appropriate docs updates for any code or config changes.
  • I've coordinated with the Product Docs and/or Docs Management team about non-trivial changes.

@avanscoy avanscoy requested a review from a team as a code owner July 7, 2026 21:05
@avanscoy avanscoy added the main-docs Changes related to auth0's main docs (https://auth0.com/docs) label Jul 7, 2026
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Summary

Status Count
🔍 Total 37
✅ Successful 4
⏳ Timeouts 0
🔀 Redirected 0
👻 Excluded 33
❓ Unknown 0
🚫 Errors 0
⛔ Unsupported 0
Full Github Actions output

@mintlify

mintlify Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
auth0 🟢 Ready View Preview Jul 7, 2026, 9:11 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

@mintlify

mintlify Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
auth0-docs-dev 🟢 Ready View Preview Jul 7, 2026, 9:13 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

@mintlify

mintlify Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
auth0-docs-staging 🟢 Ready View Preview Jul 7, 2026, 9:13 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

| --- | --- |
| User exists | At login, Auth0 issues tokens for the existing user. |
| User not found, `allow_signup: true`, signup enabled | At signup, Auth0 creates an account and issues tokens. |
| User not found, signup not allowed | If a user is blocked, Auth0 returns a generic invalid-OTP error such as `invalid_request` or `Invalid or expired OTP code`, regardless of the code entered. |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the description here might be off. User not found is different than blocked probably? Below we say blocked is a 403 and OTP error is 400 i think


## Default behavior on passwordless database connections

Implicit signup and login is default behvaior. It applies automatically to any connection that uses passwordless options, as long as:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Implicit signup and login is default behvaior. It applies automatically to any connection that uses passwordless options, as long as:
Implicit signup and login is default behavior. It applies automatically to any connection that uses passwordless options, as long as:


## Default behavior on passwordless database connections

Implicit signup and login is default behvaior. It applies automatically to any connection that uses passwordless options, as long as:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should clarify here that the default behavior is automatic only for universal login. api callers have to pass allow_signup: true (you mention that over there)


Implicit signup and login allows a user to move through the passwordless flow whether or not they have an account. After a user verifies with a one-time password (OTP), Universal Login either logs the user into an existing account or offers to create an account on the spot if an account doesn't exist. You no longer need a separate path for **Sign up** vs. **Log in**.

Implicit signup and login removes an error without next steps when a user who enters an unrecognized identifier completes the OTP challenge and then gets an error with no further steps.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a little wordy/confusing. maybe something like:

"Previously, unrecognized identifiers led users through an OTP challenge straight into a dead-end error. Implicit signup fixes this workflow by removing the dead end entirely."

Review the following behaviors:

- **Implicit signup**: A user attempts to log in with an identifier without an account. After OTP verification, the user gets a confirmation screen and can create the account.
- **Implicit login**: A user attempts to sign up with an identifier that already has an account. After OTP verification, the user simply logs in without a "account already exists" error.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- **Implicit login**: A user attempts to sign up with an identifier that already has an account. After OTP verification, the user simply logs in without a "account already exists" error.
- **Implicit login**: A user attempts to sign up with an identifier that already has an account. After OTP verification, the user simply logs in without an "account already exists" error.


## Actions

Implicit signup creates a real user in the connection, so the same Actions that run during a standard signup also runs for implicit signup. The [Pre-User Registration](/docs/customize/actions/flows-and-triggers/pre-user-registration-flow) and [Post-User Registration](/docs/customize/actions/flows-and-triggers/post-user-registration-flow) triggers fire, followed by [Post-Login](/docs/customize/actions/flows-and-triggers/login-flow). You don't need separate Action logic for implicitly-created users.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Implicit signup creates a real user in the connection, so the same Actions that run during a standard signup also runs for implicit signup. The [Pre-User Registration](/docs/customize/actions/flows-and-triggers/pre-user-registration-flow) and [Post-User Registration](/docs/customize/actions/flows-and-triggers/post-user-registration-flow) triggers fire, followed by [Post-Login](/docs/customize/actions/flows-and-triggers/login-flow). You don't need separate Action logic for implicitly-created users.
Implicit signup creates a real user in the connection, so the same Actions that run during a standard signup also run for implicit signup. The [Pre-User Registration](/docs/customize/actions/flows-and-triggers/pre-user-registration-flow) and [Post-User Registration](/docs/customize/actions/flows-and-triggers/post-user-registration-flow) triggers fire, followed by [Post-Login](/docs/customize/actions/flows-and-triggers/login-flow). You don't need separate Action logic for implicitly-created users.

6. Your application calls the [`POST /oauth/token`](/docs/api/authentication/passwordless/get-token) endpoint with the `auth_session` and the user-entered code.
7. The Auth0 Authorization Server verifies the code against the `auth_session` and responds with an ID token and access token (and optionally, a refresh token).

The flow is stateless from your application's perspective. The only value you carry between the two calls is the `auth_session` string returned in step 1. Auth0 determines whether the request is a login or a signup, and whether MFA is required — you don't need to track any of that yourself. To learn more, read [How Auth0 determines login vs. signup](#how-auth0-determines-login-vs-signup).

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The flow is stateless from your application's perspective. The only value you carry between the two calls is the `auth_session` string returned in step 1. Auth0 determines whether the request is a login or a signup, and whether MFA is required — you don't need to track any of that yourself. To learn more, read [How Auth0 determines login vs. signup](#how-auth0-determines-login-vs-signup).
The flow is stateless from your application's perspective. The only value you carry between the two calls is the `auth_session` string returned in step 4. Auth0 determines whether the request is a login or a signup, and whether MFA is required — you don't need to track any of that yourself. To learn more, read [How Auth0 determines login vs. signup](#how-auth0-determines-login-vs-signup).


User->>App: Enters identifier (email or phone)
App->>Auth0: POST /otp/challenge
Auth0-->>User: Sends OTP (email or SMS)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we include voice?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it in the next commit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

main-docs Changes related to auth0's main docs (https://auth0.com/docs)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants