Validate an Access Token
Set Up Custom SMS Gateway for Passwordless Connections
This guide will show you how to use a custom SMS gateway to send out your one-time-use codes.
Set up a SMS passwordless connection. To learn how, see Set Up Passwordless Connections.
Get an Access Token for Management API. You will need this to make calls to the Management API to update your Passwordless connection.
Use the GET Connections endpoint to retrieve information about the connections associated with your tenant. More specifically, you need to get the ID for your Passwordless SMS connection so that you can use it in a later API call that updates the connection itself.
Be sure to replace
ACCESS_TOKENwith the token you obtained in step 1 before making the following call to the Management API:
Identify your connection ID. You can find the ID associated with your Passwordless connection by reviewing the array of objects you returned from the GET Connections endpoint in step 2.
To find the specific object for your Passwordless connection, you can search for the
"name": "sms"property. Notice that the connection currently displays the Twilio information you provided during the setup process.
Update the connection. You can do this by making a PATCH call to the Update a Connection endpoint. More specifically, you'll be updating the connections
optionsobject to provide information about the SMS Gateway.
You must send the entire
optionsobject with each call; otherwise, you will overwrite the existing data that is not included in subsequent calls.
Make the following changes:
- Remove both the
- Add the
providerparameter, and set it to
- Add the
gateway_urlparameter, and set it to the URL of your SMS gateway. Auth0 must be able to reach this URL for it to use your gateway to send messages on your behalf)
Your payload will look something like the following:
- Remove both the
Opaque Access Tokens
If your SMS Gateway accepts authenticated requests that are token-based, you can add the following to your
When you include
gateway_authentication in your options object, Auth0 adds a JSON Web Token to the
Authorization header whenever it sends requests to your SMS gateway. The token contains the
gateway_authentication.audience values, and is signed with
If your secret is base64-url-encoded, set
- Once you have updated your connection, Auth0 will send the following to your SMS Gateway every time a user signs up or logs in with your Passwordless connection.
If you set the
forward_req_info property in the **options object to
true, the gateway will also receive information from the HTTP request that initiated the Passwordless process. This includes the IP address of the client calling
/passwordless/start and its User Agent.
JSON Web Token (JWT) Access Tokens
Auth0 will only consider the HTTP code returned from the SMS Gateway; it ignores the rest of the response (e.g., response body and response type).
If the SMS Gateway returns an HTTP code other than 200, the
/passwordless/start endpoint will return an HTTP 400 code and a response the looks like the following:
If the SMS Gateway returns HTTP 401, the
error_description will be Authentication failed while calling the SMS gateway: 401. (Please note that the error description verbiage is subject to change at any time.)