Hey Kevin – so sorry about that, I misread “node.js” as “next.js” and gave you instructions for our frontend JavaScript SDK rather than our backend Node SDK. My apologies!
If you’re using our backend Node SDK, you’ll need to include either the session_token or session_jwt produced by your call to the Create user by password endpoint in your calls to the above Send endpoint and the corresponding Authenticate endpoint (either Authenticate magic link or Authenticate one-time passcode).
This will make it so that a password reset won’t be required after email verification, which (as you discovered) we do otherwise require if a Passwords user authenticates via a passwordless option for the first time in order to prevent an account takeover attack vector (see here for additional information).
Using the above strategy, you should be able to implement the user experience you’re looking for. Please let me know if you have any questions about this, and I apologize again for the confusion!