feat : Added passwordless API for DB-Connections

[pmathew92]

Changes

Adds support for the database-connection passwordless (OTP) authentication flow via a new PasswordlessClient

This drives a two-step flow against a database connection that has email_otp or phone_otp enabled:

1. Challenge — challengeWithEmail(...) / challengeWithPhoneNumber(...) issue a one-time code (POST /otp/challenge) and return an opaque PasswordlessChallenge containing an auth_session.
2. Login — loginWithOTP(authSession, otp) exchanges the session and code for Credentials using the passwordless-OTP grant (POST /oauth/token).

This is distinct from the SDK's existing /passwordless/start flow.

What's included

• PasswordlessClient — new sub-client obtained from AuthenticationAPIClient.passwordlessClient().
• PasswordlessChallenge — result type wrapping the opaque auth_session.
• DeliveryMethod — TEXT / VOICE enum for phone challenges.
• AuthenticationAPIClient.passwordlessClient() — factory method that forwards the client's private dPoP instance.

Testing

• PasswordlessClientTest — 17 tests covering challenge request params/defaults, loginWithOTP params and credentials, API error propagation, blank-input validation (no network call), and wire-level DPoP behavior (proof present
  on /oauth/token, absent on /otp/challenge).
• AuthenticationAPIClientTest — wiring test for passwordlessClient().

Checklist

• I have read the Auth0 general contribution guidelines

• I have read the Auth0 Code of Conduct

• All existing and new tests complete without errors

Summary by CodeRabbit

• New Features
  • Added passwordless OTP support for database-connection flows, including an API to request OTP challenges (email/phone) and exchange auth_session plus OTP for credentials.
  • Added selectable phone delivery method (text/voice).
• Tests
  • Added unit/Robolectric tests covering challenge and login requests, input validation, error propagation, and DPoP request behavior.
• Chores
  • Updated ignore rules to exclude the docs/ directory.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: f0d1862c-9f32-42fc-b652-ff9b01f3f7da

📥 Commits

Reviewing files that changed from the base of the PR and between 6fba199 and ec3de19.

📒 Files selected for processing (1)

• EXAMPLES.md

---

📝 Walkthrough

Walkthrough

Adds a new PasswordlessClient for Auth0 database-connection passwordless OTP flows, plus PasswordlessChallenge and DeliveryMethod. Wires the client into AuthenticationAPIClient, adds tests and documentation, and updates .gitignore to ignore docs/.

Changes

Passwordless Login Feature

Layer / File(s)	Summary
Result model and DeliveryMethod enum auth0/src/main/java/com/auth0/android/result/PasswordlessChallenge.kt, auth0/src/main/java/com/auth0/android/authentication/passwordless/DeliveryMethod.kt	Defines PasswordlessChallenge for auth_session and DeliveryMethod values for phone challenge delivery methods.
PasswordlessClient implementation auth0/src/main/java/com/auth0/android/authentication/passwordless/PasswordlessClient.kt	Implements PasswordlessClient construction, challenge and login request builders, shared challenge request setup, request validation, endpoint constants, and error adaptation.
AuthenticationAPIClient factory method auth0/src/main/java/com/auth0/android/authentication/AuthenticationAPIClient.kt	Adds passwordlessClient() to AuthenticationAPIClient and imports PasswordlessClient.
Passwordless client tests auth0/src/test/java/com/auth0/android/authentication/PasswordlessClientTest.kt, auth0/src/test/java/com/auth0/android/authentication/AuthenticationAPIClientTest.kt	Adds coverage for challenge and login request shapes, defaults, validation, error propagation, DPoP header behavior, and a factory smoke test.
Passwordless examples documentation EXAMPLES.md	Adds table-of-contents entries and a passwordless OTP guide covering challenge issuance, login completion, DPoP behavior, and scope behavior.

gitignore update

Layer / File(s)	Summary
.gitignore docs/ ignore rule .gitignore	Adds docs/ under the Internal planning docs ignore rules.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐇 I hop through OTP with a twitch of my nose,
A challenge, a code, and the login unfolds.
PasswordlessClient in a neat little line,
With tests and docs helping the path stay fine.
I nibble a carrot, then bounce on my way,
With DPoP and scopes in their proper bouquet.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 12.82% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding passwordless API support for database connections.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch SDK-9651

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

🧹 Nitpick comments (1)

auth0/src/main/java/com/auth0/android/authentication/passwordless/PasswordlessClient.kt (1)

95-99: 📐 Maintainability & Code Quality | 🔵 Trivial

Add @JvmOverloads on defaulted public APIs for Java interop.

Both challengeWithEmail and challengeWithPhoneNumber expose default parameters but lack Java overloads, forcing Java consumers to pass optional values explicitly. Adding @JvmOverloads aligns with the established pattern in AuthenticationAPIClient.kt and ensures parity between Kotlin and Java APIs.

♻️ Proposed change

+    `@JvmOverloads`
     public fun challengeWithEmail(
         email: String,
         connection: String,
         allowSignup: Boolean = false
     ): Request<PasswordlessChallenge, AuthenticationException> {
@@
+    `@JvmOverloads`
     public fun challengeWithPhoneNumber(
         phoneNumber: String,
         connection: String,
         deliveryMethod: DeliveryMethod = DeliveryMethod.TEXT,
         allowSignup: Boolean = false
     ): Request<PasswordlessChallenge, AuthenticationException> {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@auth0/src/main/java/com/auth0/android/authentication/passwordless/PasswordlessClient.kt`
around lines 95 - 99, The challengeWithEmail and challengeWithPhoneNumber
methods in PasswordlessClient.kt expose default parameters but lack proper Java
interoperability. Add the `@JvmOverloads` annotation to both the
challengeWithEmail and challengeWithPhoneNumber method signatures to
automatically generate Java overloads for each parameter combination. This will
allow Java consumers to call these methods without explicitly passing optional
values, following the established pattern used in AuthenticationAPIClient.kt and
ensuring consistency across the API.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@auth0/src/main/java/com/auth0/android/authentication/passwordless/PasswordlessClient.kt`:
- Around line 95-99: The challengeWithEmail and challengeWithPhoneNumber methods
in PasswordlessClient.kt expose default parameters but lack proper Java
interoperability. Add the `@JvmOverloads` annotation to both the
challengeWithEmail and challengeWithPhoneNumber method signatures to
automatically generate Java overloads for each parameter combination. This will
allow Java consumers to call these methods without explicitly passing optional
values, following the established pattern used in AuthenticationAPIClient.kt and
ensuring consistency across the API.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: cc56a76e-0efb-448e-a5c3-ef5eea8ec13e

📥 Commits

Reviewing files that changed from the base of the PR and between 14de74b and 3c0320b.

📒 Files selected for processing (8)

• .gitignore
• EXAMPLES.md
• auth0/src/main/java/com/auth0/android/authentication/AuthenticationAPIClient.kt
• auth0/src/main/java/com/auth0/android/authentication/passwordless/DeliveryMethod.kt
• auth0/src/main/java/com/auth0/android/authentication/passwordless/PasswordlessClient.kt
• auth0/src/main/java/com/auth0/android/result/PasswordlessChallenge.kt
• auth0/src/test/java/com/auth0/android/authentication/AuthenticationAPIClientTest.kt
• auth0/src/test/java/com/auth0/android/authentication/PasswordlessClientTest.kt

[sanchitmehtagit]

LGTM

[sanchitmehtagit]

nit: should we add default connection as "Username-Password-Authentication". Since it's the built-in database connection created for every Auth0 tenant, does it make sense to have it as default

[pmathew92]

Valid point. But none of our existing embedded API like ROPG has the default value set to Username-Password-Authentication . Keeping it consistent with existing APIs

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

auth0/src/main/java/com/auth0/android/authentication/passwordless/PasswordlessClient.kt (1)

213-227: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Validate the challenge auth session before posting.

Line 213 sends passwordlessChallenge.authSession, but the validator only checks otp. A blank auth_session should fail locally with the same typed AuthenticationException pattern instead of making a doomed token request.

Proposed fix

         ).apply {
             addParameters(parameters)
             addValidator(object : RequestValidator {
                 override fun validate(options: RequestOptions) {
+                    requireNotBlank(passwordlessChallenge.authSession, AUTH_SESSION_KEY)
                     requireNotBlank(otp, ONE_TIME_PASSWORD_KEY)
                 }
             })
         }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@auth0/src/main/java/com/auth0/android/authentication/passwordless/PasswordlessClient.kt`
around lines 213 - 227, The PasswordlessClient request currently validates only
the OTP, so a blank auth session can still reach the token endpoint. Update the
request validation in PasswordlessClient to also check
passwordlessChallenge.authSession before posting, using the same
requireNotBlank/AuthenticationException flow as the OTP validation so failures
are raised locally and consistently.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In
`@auth0/src/main/java/com/auth0/android/authentication/passwordless/PasswordlessClient.kt`:
- Around line 213-227: The PasswordlessClient request currently validates only
the OTP, so a blank auth session can still reach the token endpoint. Update the
request validation in PasswordlessClient to also check
passwordlessChallenge.authSession before posting, using the same
requireNotBlank/AuthenticationException flow as the OTP validation so failures
are raised locally and consistently.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 9ec90c8c-a459-4a8f-92f3-2b88c95f99d7

📥 Commits

Reviewing files that changed from the base of the PR and between 480b64f and 6fba199.

📒 Files selected for processing (3)

• EXAMPLES.md
• auth0/src/main/java/com/auth0/android/authentication/passwordless/PasswordlessClient.kt
• auth0/src/test/java/com/auth0/android/authentication/PasswordlessClientTest.kt

🚧 Files skipped from review as they are similar to previous changes (2)

• auth0/src/test/java/com/auth0/android/authentication/PasswordlessClientTest.kt
• EXAMPLES.md