Imported data
Open-Gateway API V2
This API provides methods to obtain the capabilities of CAMARA project in mas-stack.
This API can verify or retrieve the mobile phone number that is currently allocated by the network operator to the SIM in the end user's device
In this API phone number refers to the mobile phone number.
Introduction
The Number Verification API is used by the API consumer to perform real-time checks to verify the phone number of a mobile device being used to access the application. This check can be done either by the API provider, returning "true" or "false", or by the application, by matching the phone number returned by the API Provider with the phone number of the device that is being used.
It uses silent authentication (Network-based authentication or SIM-Based authentication) to verify possession of a phone number in the background without requiring user interaction. There are neither one-time passwords (OTP) received by SMS nor authenticator app downloads, so it is much simpler. It can be used at sign up, login, or transaction time to validate that a user's SIM is not spoofed or cloned.
Relevant Definitions and Concepts
- Network-Based Authentication: Authentication mechanism based on the identification of the mobile phone. A network operator knows to which subscriber a connected mobile phone belongs and what its associated phone number is.
- SIM-Based Authentication: Authentication mechanism based on the identification of the subscriber's SIM installed in the user's device. This mechanism relies on temporary tokens provided by the operator, as defined by GSMA TS.43 and GSMA ASAC.
API Functionality
This API enables an API Consumer to verify or retrieve the phone number of the mobile device being used to access their service.
The Authentication Request
Authentication Request with a temporary token
If the API Consumer has a TS.43 temporary token created on the mobile device then this API works over all connections e.g. WiFi taking advantage of the SIM-Based authentication.
The API Consumer sends the temporary token to their backend which sends a CIBA Authentication Request, as described in the current release CAMARA APIs Access and User Consent Management, with a parameter "login_hint=operatortoken:
Authentication Request without a temporary token
If the API Consumer does not have a TS.43 temporary token then the API Consumer must use OpenId Connect Authorization Code Flow as described in the current release of CAMARA APIs Access and User Consent Management. For this method of authentication to work, the device must be connected to the mobile network.
Resources and Operations overview
This API currently provides two endpoints which both require a 3-legged token obtained by using one of the two methods indicated in The Authentication Request section. This therefore excludes using, for example, SMS/OTP or user/password as an authentication method:
- The /verify endpoint checks whether the mobile phone number registered by the user with the API consumer matches the one actually associated with the mobile device. It can receive either a hashed or a plain text phone number as input. It compares the received phone number with the user's phone number associated to the access token in order to respond true/false.
- The /device-phone-number endpoint returns the phone number associated by the network operator with the SIM in the end user's device.
Sequence Diagram
The following sequence diagram shows an example of a direct integration into the developer's application and the API Provider's Authorization Server and API for the case that no temporary token is available.
Implementation Details:
-
(1): Authentication must be automatic without any user interactions. Authentication methods such as SMS OTP or user/password are incompatible, as the goal is to validate the mobile phone number that is accessing the App.
The API Consumer should use the request parameter prompt=none in the Authentication Request, as described in OIDC Connect, ensuring no user interaction.
The API Provider implies the request parameter prompt=none in the Authentication Request for this API.
-
(2): The way in which the phone number is retrieved depends upon the implementation. For example, the access token may be a self-contained encrypted JWT, and so the API provider can decrypt and identify phone number directly from the access token. Other implementations might retrieve the phone number associated with the access token from their Authorization Server.
Authorization and authentication
The "Camara Security and Interoperability Profile" provides details of how an API consumer requests an access token. Please refer to Identity and Consent Management for the released version of the profile.
The specific authorization flows to be used will be agreed upon during the onboarding process, happening between the API consumer and the API provider, taking into account the declared purpose for accessing the API, whilst also being subject to the prevailing legal framework dictated by local legislation.
In cases where personal data is processed by the API and users can exercise their rights through mechanisms such as opt-in and/or opt-out, the use of three-legged access tokens is mandatory. This ensures that the API remains in compliance with privacy regulations, upholding the principles of transparency and user-centric privacy-by-design.
In the case of the Number Verification API scenario and according to the API definition, 3-legged access tokens must be used by API clients to invoke this API with dedicated scope. The API client must authenticate on behalf of a specific user to use this service. This must be done via mobile network authentication.
Base URLs
production
staging
Resources
| Resource | Description |
|---|---|
| Number Verification | API operation to verify a phone number received as input. It can be received either in plain text or hashed format. |
Open-Gateway API V2
This API provides methods to obtain the capabilities of CAMARA project in mas-stack.
This API can verify or retrieve the mobile phone number that is currently allocated by the network operator to the SIM in the end user's device
In this API phone number refers to the mobile phone number.
Introduction
The Number Verification API is used by the API consumer to perform real-time checks to verify the phone number of a mobile device being used to access the application. This check can be done either by the API provider, returning "true" or "false", or by the application, by matching the phone number returned by the API Provider with the phone number of the device that is being used.
It uses silent authentication (Network-based authentication or SIM-Based authentication) to verify possession of a phone number in the background without requiring user interaction. There are neither one-time passwords (OTP) received by SMS nor authenticator app downloads, so it is much simpler. It can be used at sign up, login, or transaction time to validate that a user's SIM is not spoofed or cloned.
Relevant Definitions and Concepts
- Network-Based Authentication: Authentication mechanism based on the identification of the mobile phone. A network operator knows to which subscriber a connected mobile phone belongs and what its associated phone number is.
- SIM-Based Authentication: Authentication mechanism based on the identification of the subscriber's SIM installed in the user's device. This mechanism relies on temporary tokens provided by the operator, as defined by GSMA TS.43 and GSMA ASAC.
API Functionality
This API enables an API Consumer to verify or retrieve the phone number of the mobile device being used to access their service.
The Authentication Request
Authentication Request with a temporary token
If the API Consumer has a TS.43 temporary token created on the mobile device then this API works over all connections e.g. WiFi taking advantage of the SIM-Based authentication.
The API Consumer sends the temporary token to their backend which sends a CIBA Authentication Request, as described in the current release CAMARA APIs Access and User Consent Management, with a parameter "login_hint=operatortoken:
Authentication Request without a temporary token
If the API Consumer does not have a TS.43 temporary token then the API Consumer must use OpenId Connect Authorization Code Flow as described in the current release of CAMARA APIs Access and User Consent Management. For this method of authentication to work, the device must be connected to the mobile network.
Resources and Operations overview
This API currently provides two endpoints which both require a 3-legged token obtained by using one of the two methods indicated in The Authentication Request section. This therefore excludes using, for example, SMS/OTP or user/password as an authentication method:
- The /verify endpoint checks whether the mobile phone number registered by the user with the API consumer matches the one actually associated with the mobile device. It can receive either a hashed or a plain text phone number as input. It compares the received phone number with the user's phone number associated to the access token in order to respond true/false.
- The /device-phone-number endpoint returns the phone number associated by the network operator with the SIM in the end user's device.
Sequence Diagram
The following sequence diagram shows an example of a direct integration into the developer's application and the API Provider's Authorization Server and API for the case that no temporary token is available.
Implementation Details:
-
(1): Authentication must be automatic without any user interactions. Authentication methods such as SMS OTP or user/password are incompatible, as the goal is to validate the mobile phone number that is accessing the App.
The API Consumer should use the request parameter prompt=none in the Authentication Request, as described in OIDC Connect, ensuring no user interaction.
The API Provider implies the request parameter prompt=none in the Authentication Request for this API.
-
(2): The way in which the phone number is retrieved depends upon the implementation. For example, the access token may be a self-contained encrypted JWT, and so the API provider can decrypt and identify phone number directly from the access token. Other implementations might retrieve the phone number associated with the access token from their Authorization Server.
Authorization and authentication
The "Camara Security and Interoperability Profile" provides details of how an API consumer requests an access token. Please refer to Identity and Consent Management for the released version of the profile.
The specific authorization flows to be used will be agreed upon during the onboarding process, happening between the API consumer and the API provider, taking into account the declared purpose for accessing the API, whilst also being subject to the prevailing legal framework dictated by local legislation.
In cases where personal data is processed by the API and users can exercise their rights through mechanisms such as opt-in and/or opt-out, the use of three-legged access tokens is mandatory. This ensures that the API remains in compliance with privacy regulations, upholding the principles of transparency and user-centric privacy-by-design.
In the case of the Number Verification API scenario and according to the API definition, 3-legged access tokens must be used by API clients to invoke this API with dedicated scope. The API client must authenticate on behalf of a specific user to use this service. This must be done via mobile network authentication.
Base URLs
production
staging
Resources
| Resource | Description |
|---|---|
| Number Verification | API operation to verify a phone number received as input. It can be received either in plain text or hashed format. |
Verifies if the specified phone number (either in plain text or hashed format) matches the one that the user is currently using. Only one of the plain or hashed formats must be provided.
- The number verification will be done for the user that has authenticated via mobile network
- It returns true/false depending on if the hashed phone number received as input matches the authenticated user's
device phone numberassociated to the access token
Parameters
PATH PARAMETERS
org_id*
string
Example:
Request body *
Required PlainExample
{
"referenceMsisdn": "+34611223344",
"evidence": {
"type": "PLAIN",
"value": "+34611223344"
}
} HashedExample
{
"referenceMsisdn": "+34611223344",
"evidence": {
"type": "HASHED_SHA256",
"value": "32f67ab4e4312618b09cd23ed8ce41b13e095fe52b73b2e8da8ef49830e50dba"
}
}| Property | Type | Description | Constraints | Default | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
referenceMsisdn* | string | The MSISDN assigned by the network and extracted from the authentication token. A public identifier addressing a telephone subscription. In mobile networks it corresponds to the MSISDN (Mobile Station International Subscriber Directory Number). In order to be globally unique it has to be formatted in international format, according to E.164 standard, prefixed with '+'. | pattern: ^\+[1-9][0-9]{4,14}$ | ||||||||||||||||
evidence* | object | ||||||||||||||||||
| |||||||||||||||||||
Responses
200 OK OK
200
OK OK
json
{
"devicePhoneNumberVerified": true
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
devicePhoneNumberVerified* | boolean | Number verification. True, if it matches |
400 Bad Request Problem with the client request
400
Bad Request Problem with the client request
json
{
"code": "string",
"title": "string",
"ref": "string",
"details": "string"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
code* | string | code of the error | ||
title* | string | title of the error | ||
ref* | string | ref of the error | ||
details* | string | details of the error |
401 Unauthorized Unauthorized
401
Unauthorized Unauthorized
json
{
"code": "string",
"title": "string",
"ref": "string",
"details": "string"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
code* | string | code of the error | ||
title* | string | title of the error | ||
ref* | string | ref of the error | ||
details* | string | details of the error |
403 Forbidden Client does not have sufficient permission.
In addition to regular scenario of `PERMISSION_DENIED`, other scenarios may exist:
- Client authentication was not via mobile network. In order to check the authentication method, AMR parameter value in the 3-legged user's access token can be used and make sure that the authentication was not either by SMS+OTP nor username/password (`{"code": "NUMBER_VERIFICATION.USER_NOT_AUTHENTICATED_BY_MOBILE_NETWORK","message": "Client must authenticate via the mobile network to use this service"}`)
403
Forbidden Client does not have sufficient permission. In addition to regular scenario of `PERMISSION_DENIED`, other scenarios may exist: - Client authentication was not via mobile network. In order to check the authentication method, AMR parameter value in the 3-legged user's access token can be used and make sure that the authentication was not either by SMS+OTP nor username/password (`{"code": "NUMBER_VERIFICATION.USER_NOT_AUTHENTICATED_BY_MOBILE_NETWORK","message": "Client must authenticate via the mobile network to use this service"}`)
json
{
"code": "string",
"title": "string",
"ref": "string",
"details": "string"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
code* | string | code of the error | ||
title* | string | title of the error | ||
ref* | string | ref of the error | ||
details* | string | details of the error |
500 Internal Server Error Server error
500
Internal Server Error Server error
json
{
"code": "string",
"title": "string",
"ref": "string",
"details": "string"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
code* | string | code of the error | ||
title* | string | title of the error | ||
ref* | string | ref of the error | ||
details* | string | details of the error |
503 Service Unavailable Service unavailable. Typically the server is down.
503
Service Unavailable Service unavailable. Typically the server is down.
json
{
"code": "string",
"title": "string",
"ref": "string",
"details": "string"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
code* | string | code of the error | ||
title* | string | title of the error | ||
ref* | string | ref of the error | ||
details* | string | details of the error |
504 Request time exceeded. If it happens repeatedly, consider reducing the request complexity
504
Request time exceeded. If it happens repeatedly, consider reducing the request complexity
json
{
"code": "string",
"title": "string",
"ref": "string",
"details": "string"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
code* | string | code of the error | ||
title* | string | title of the error | ||
ref* | string | ref of the error | ||
details* | string | details of the error |
Response Headers
x-correlatorstring200
Correlation id for the different services
Snippet
cURL
curl -X POST 'https://opengateway.masstack.com/v2/orgs/masmovil/number-verification/verify' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
--data-raw '{
"referenceMsisdn": "+34611223344",
"evidence": {
"type": "PLAIN",
"value": "+34611223344"
}
}'