Docs

Set Up Passwordless Connections

Set Up Passwordless Connections

This guide will show you how to set up a connection for Passwordless Authentication using Auth0's Dashboard.

Before you begin, determine which method of passwordless authentication you would like to provide for your users: SMS or Email. Then choose the correct option below to learn how to configure the passwordless connection for that method:

SMS

Twilio Account

Before proceeding, you will need a valid Twilio account. Auth0 will use your Twilio Application SID and Auth Token to send SMS messages to users.

If you would like to use your own SMS gateway, you will first need to set up your passwordless connection to use Twilio and then modify the connection using our Management API. To learn how to modify the connection to use your own SMS gateway, see Configure SMS Gateway for Passwordless Connections.

  1. Navigate to the Connections > Passwordless page in the Auth0 Dashboard, and enable the SMS toggle.
    Enable Passwordless Method
  2. Enter your Twilio Account SID and Twilio Auth Token.
  3. To learn how to find your Twilio SID and Auth Token, see Twilio docs about the Application SID and Auth Token.

    Configure SMS Passwordless

  4. Select your SMS Source, which is the number your users will see as the sender of the SMS. If you've chosen Twilio Copilot, then enter your Twilio Messaging Service SID; otherwise, enter a From phone number.
  5. Twilio Copilot is an app that can improve your SMS delivery by providing phone number and content intelligence. To learn more about using Twilio Copilot with your Passwordless SMS messages, see Sending Messages with Copilot.

  6. In Message, enter the body text of the SMS and customize as necessary.

    Message syntax

    The body of the message accepts either Markdown or Liquid syntax. If you choose to use Liquid, you can programmatically construct elements of the message by including variables inside {{ }}. For Markdown, use @@ @@.

    You must include the password or code variable because it is the placeholder for the one-time-use code that will be sent to the user.

    Commonly used available variables include:

    Variable Description
    password or code One-time-use code sent to the authenticating user. Make sure that your message includes this variable because it is the placeholder that will be replaced with the one-time-use code that is sent to the user.
    application.name Name of the application to which the user is logging in.
    request_language Requested language for the message's content.

    Message language

    You can change the language for your SMS messages by using the passwordless/start endpoint to set the x-request-language header to the language of your choice. If not set, the language used will be extracted from the accept-languageheader, which is automatically set for your browser.

  7. Adjust settings for your OTP Expiry and OTP Length.
  8. Parameter Description
    OTP Expiry Amount of time (in seconds) before the one-time-use code expires.
    OTP Length Character length of the one-time-use code.

    If you choose to extend the OTP Expiry time, then you should also increase the OTP Length. Otherwise, malicious parties have a longer timeframe to try to guess a short OTP, which increases security risks.

  9. Control sign-ups
  10. To only allow sign-ups via the Auth0 Authentication API or Dashboard, enable the Disable Sign-Ups toggle.

    Enable your apps

    Click the Applications tab, and enable the toggle(s) for the application(s) for which you would like to use the Passwordless connection.

Email

  1. Navigate to the Connections > Passwordless page in the Auth0 Dashboard, and enable the Email toggle.
    Enable Passwordless Method
  2. Enter the email address you want users to see as the sender in the From field, and set the Subject for your email.
  3. If you want to use a custom template for your email message, the From email address must not include the auth0.com domain. Otherwise, the default email template will be sent.

    Configure Email Passwordless

  4. In Body, enter the body text of the Email and customize as necessary.

    By default, your email message will use Auth0's email template. If you want to use a custom template for your email message, enter its HTML.

    If you use a custom template for your email message, the From email address must not include the auth0.com domain. Otherwise, the default email template will be sent.

    To revert changes made to the email template, you can either reset to last saved template or reset to default template.

    Message syntax

    The template editor accepts Liquid syntax embedded within the HTML, which allows you to programmatically construct parts of your message by including variables inside {{ }}.

    You must include the password or code variable because it is the placeholder for the one-time-use code that will be sent to the user.

    Commonly used available variables include:

    Variable Description
    password or code One-time-use code sent to the authenticating user. Make sure that your message includes this variable because it is the placeholder that will be replaced with the one-time-use code that is sent to the user.
    application.name Name of the application to which the user is logging in.
    request_language Requested language for the message's content.

    For other possible variables, see Customizing your Emails: Passwordless Email.

    Message language

    You can change the language for your SMS messages by using the passwordless/start endpoint to set the x-request-language header to the language of your choice. If not set, the language used will be extracted from the accept-languageheader, which is automatically set for your browser.

  5. Enter any Authentication Parameters you would like to include in the generated sign-in link; these parameters will be passed in the query string.
  6. For example, you may want to request permission to access user profile information.

  7. Adjust settings for your OTP Expiry and OTP Length.
  8. Parameter Description
    OTP Expiry Amount of time (in seconds) before the one-time-use code expires.
    OTP Length Character length of the one-time-use code.

    If you choose to extend the OTP Expiry time, then you should also increase the OTP Length. Otherwise, malicious parties have a longer timeframe to try to guess a short OTP, which increases security risks.

  9. Control sign-ups
  10. To only allow sign-ups via the Auth0 Authentication API or Dashboard, enable the Disable Sign-Ups toggle.

    Enable your apps

    Click the Applications tab, and enable the toggle(s) for the application(s) for which you would like to use the Passwordless connection.