> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Get Code or Link

> Send a one-time code or magic link to a user's email or phone to start passwordless authentication.

## Endpoint

`POST /passwordless/start`

Passwordless connections do not require the user to remember a password. Instead, another mechanism is used to prove identity, such as a one-time code sent through email or SMS, every time the user logs in.

You have three options for [passwordless authentication](https://auth0.com/docs/authenticate/passwordless):

* Send a verification code using email.
* Send a link using email.
* Send a verification code using SMS.

### Remarks

* If you sent a verification code, using either email or SMS, after you get the code, you have to authenticate the user using the [/passwordless/verify endpoint](/passwordless/authenticate-user), using `email` or `phone_number` as the `username`, and the verification code as the `password`.
* This endpoint is designed to be called from the client-side, and is subject to \[rate limits][https://auth0.com/docs/troubleshoot/customer-support/operational-policies/rate-limit-policy](https://auth0.com/docs/troubleshoot/customer-support/operational-policies/rate-limit-policy)).
* The sample auth0.js script uses the library version 8. If you are using auth0.js version 7, please see this [reference guide](/libraries/auth0js/v7).

### Error Codes

For the complete error code reference for this endpoint refer to [Errors > POST /passwordless/start](#post-passwordless-start).

### Learn More

* [Passwordless Authentication](https://auth0.com/docs/authenticate/passwordless)
* [Passwordless Best Practices](https://auth0.com/docs/authenticate/passwordless/best-practices)

## Body Parameters

<ParamField body="client_id" type="string" required>
  The `client_id` of your application.
</ParamField>

<ParamField body="client_assertion" type="string">
  A JWT containing a signed assertion with your application's credentials. Required when Private Key JWT is your application authentication method.
</ParamField>

<ParamField body="client_assertion_type" type="string">
  Use the value `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`. Required when Private Key JWT is the application authentication method.
</ParamField>

<ParamField body="client_secret" type="string">
  The `client_secret` of your application. Required for Regular Web Applications **only**.
</ParamField>

<ParamField body="connection" type="string" required>
  How to send the code/link to the user. Use `email` to send via email, or `sms` to send via SMS.

  Allowed values: `email`, `sms`
</ParamField>

<ParamField body="email" type="string">
  Set this to the user's email address when `connection=email`.
</ParamField>

<ParamField body="phone_number" type="string">
  Set this to the user's phone number when `connection=sms`.
</ParamField>

<ParamField body="send" type="string">
  Use `link` to send a link or `code` to send a verification code. If null, a link will be sent.

  Allowed values: `link`, `code`
</ParamField>

<ParamField body="authParams" type="object">
  Any authentication parameters that you would like to add, such as `scope`, `state`, `redirect_uri`, etc.

  <Expandable title="properties">
    <ParamField body="scope" type="string">
      OAuth scopes.
    </ParamField>

    <ParamField body="state" type="string">
      State parameter for maintaining state between the request and callback.
    </ParamField>
  </Expandable>
</ParamField>

## Response Messages

| Status | Description                               |
| ------ | ----------------------------------------- |
| 200    | Code or link sent successfully.           |
| 400    | Bad Request. Invalid parameters.          |
| 401    | Unauthorized. Invalid client credentials. |