Our app uses email-based passwordless login (OTP via Auth0) as the only authentication method ; not as a second factor. Every user logs in this way.
The submission guidelines mention that test credentials shouldn’t use MFA or “email verification schemes”, but that language seems aimed at traditional 2FA flows (password + OTP). In our case, the OTP is the login — there’s no password step at all.
Has anyone else run into this during app review? Is there an accepted way to provide test credentials when your entire auth system is built around a single passwordless connection?
Creating a separate password-based test account isn’t straightforward when the whole auth setup uses a single passwordless Auth0 connection. Any guidance from the team or others who’ve navigated this would be appreciated.