Verify phone using SMS OTP

Overview

One-time passcodes can be sent to users by SMS in order to verify their phone number. For example, this can be used to enrich the profile of existing users that are already logged in. Once the SMS passcode is validated, the phone number will be added to the user profile and marked as verified. Unlike the authentication flows, users will not be authenticated (or created) and no tokens will be returned.

Step 1: Send SMS passcodes

Use a send request like the one below to send an SMS OTP to the specified phone number. This flow is described in the sequence diagram above.

Note

This flow requires an existing, logged-in user. So make sure you have a valid user access token (returned upon successful authentication) to authorize the request.

Copy
Copied
curl --request POST \
     --url https://api.transmitsecurity.io/cis/v1/verification/otp/sms/send \
     --header 'Accept: application/json' \
     --header 'Authorization: Bearer 91827321837bdfjf' \
     --header 'Content-Type: application/json' \
     --data '
{
     "phone_number": "+15125555555"
}
'

Step 2: Validate SMS passcodes

Validate the SMS OTP entered by the user using a validation request like the one below. Once validated, the phone number will be added to the user profile and marked as verified. Since this flow is intended for existing users that are logged in, the user won't be authenticated (or created) and no tokens will be returned. This flow is described in the sequence diagram above.

Copy
Copied
curl --request POST \
     --url https://api.transmitsecurity.io/cis/v1/verification/otp/sms/validate \
     --header 'Accept: application/json' \
     --header 'Authorization: Bearer 91827321837bdfjf' \
     --header 'Content-Type: application/json' \
     --data '{
         "passcode": "123456",
         "phone_number": "+15125555555"
     }
'

Next steps

Once you've completed a basic integration, here are some customizations you can consider:

SMS customization

To create a custom SMS message, use the custom_message field in the send request, which must include these placeholders:

  • {app} which will be replaced with your app name and prevent phishing attacks
  • {otp} which will be replaced with the code

You can also specify the sender_id, which is the name of the message sender (see limitations).

Here's an example of a request that includes a custom SMS message:

Copy
Copied
import fetch from 'node-fetch';

async function run() {
  const resp = await fetch(
    `https://api.transmitsecurity.io/cis/v1/verification/otp/sms/send`,
    {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
        Authorization: 'Bearer [USER_ACCESS_TOKEN]' // User must be logged in
      },
      body: JSON.stringify({
        custom_message: 'Your {app} verification code is: {otp}', // Example
        sender_id: 'ACME', // Example
        phone_number: '[PHONE_NUMBER]' // The phone number to send the code to
      })
    }
  );

  const data = await resp.json();
  console.log(data);
}

run();

OTP settings

From the Admin Portal ( Authentication > Authentication methods > One-time passcodes), you can configure the OTP policy for your app:

  • Expiration time : set the OTP expiration period in minutes.
  • Failed attempts lockout policy : set the number of failed login attempts that trigger a temporary user lockout and specify the lockout duration in minutes.
  • Code length : set the length of the one-time code.

Custom SMS provider

In the Admin Portal (from Settings > SMS Provider), you can configure to use Twilio as your SMS provider instead of the Mosaic default. For example, this allows you to customize the sender name per country. For more, see Use custom SMS providers.