The Authy Phone Verification API allows you to verify that the user has the device in their possession. The Authy Phone Verification API lets you request a verification code to be sent to the user and also verify that the code received by the user is valid. The REST API is designed to use HTTP response codes to indicate status. The body of the response will also include more information.
The api_key can be obtained by logging into the Authy dashboard and selecting the app for which you are authenticating users
The Authy API server is at: https://api.authy.com
You can clone and run our demo app repo. This full-stack implementation demonstrates both Authy 2FA and Phone Verification.
You can also clone our cURL API repo which implements all features of the Authy APIs including Phone Verification. We've included a Postman collection and environment as well.
When you want to verify a user's phone you start by requesting a verification code for that user's phone number. The verification code is valid for 10 minutes. Subsequent calls to the API within the expiration time will send the same verification code.
The response will includes the carrier, whether the number is a cellphone or not, the verification code expiration time, the request UUID and the request status.
Authy supports multiple languages for SMS and phone calls. Simply specify the desired country code.
NOTE: You can use dashes, periods, spaces or simply nothing to format a phone number.
POST https://api.authy.com/protected/{json,xml}/phones/verification/start
| Name | Type | Description |
|---|---|---|
| api_key | String | The Authy application API key. |
| via | String | Either "sms" or "call". |
| country_code | Integer | The phone's country code. |
| phone_number | String | The phone number to send the verification code. |
| code_length | Integer(optional) | Optional value to change the number of verification digits sent. Default is 4. Allowed values are 4-10. |
| locale | String | The language of the message received by user. If no locale is given, Authy will try to autodetect it based on the country code. In case that no locale is autodetected, English will be used. Supported languages include: English (en), Arabic (ar), Catalan (ca), Danish (da), German (de), Spanish (es), Greek (el), Finnish (fi), French (fr) , Hebrew (he), Hindi (hi), Hungarian (hu), Indonesian (id), Italian (it), Japanese (ja), Korean (ko), Norwegian (nb), Dutch (nl), Polish (pl), Portuguese (pt), Romanian (ro), Russian (ru), Swedish (sv), Thai (th), Tagalog (tl), Turkish (tr), Vietnamese (vi), Mandarin (zh-CN),Cantonese (zh-HK). We support the format country-region as described in IETF's BPC 47. If no region is given (or supported), there will be a default by country. |
| custom_message | String | Not enabled by default. Overwrites the default message sent sms or phone call. To request access please contact Authy sales with a business use case that requires a nonstandard message. You can inject a phone verification code in the message by using the string {{code}} were you'd like to insert it. IMPORTANT: If the via parameter is set to "call", the locale parameter is mandatory. The following languages are supported for call custom_messages: English (en), Spanish (es), Portuguese (pt), German (de), French (fr),Italian (it), Daniesh (da),German (de),Finish (fi), Japanese (ja), Korean (ko), Norwegian (nb), Deutch (nl), Polish (pl), Russian (ru), Swedish (sv), Mandarin (zh-CN),Cantonese (zh-HK). We support the format country-region as described in IETF's BPC 47. If no region is given (or supported), there will be a default by country. |
| Name | Type | Description |
|---|---|---|
| success | Bool | Whether the request was succesful or not. |
| message | String | A message indicating the result of the operation. |
| is_ported | Bool | Whether the phone number was ported or not. |
| is_cellphone | Bool | Whether the phone number is a cellphone or not. |
curl 'https://api.authy.com/protected/json/phones/verification/start?api_key=XXX' \ -d via='call' \ -d phone_number='111-111-1111' \ -d country_code=1
Sample response:
{ "carrier":"AT&T Mobility (New Cingular Wireless PCS, LLC)", "is_ported":false, "is_cellphone":true, "message":"Call to +1 111-111-1111 initiated.", "success":true }
curl 'https://api.authy.com/protected/json/phones/verification/start?api_key=XXX' \ -d via='sms' \ -d phone_number='111-111-1111' \ -d country_code=1 \ -d locale='es'
Sample response
{ "carrier":"AT&T Mobility (New Cingular Wireless PCS, LLC)", "is_ported":false, "is_cellphone":true, "message":"Text message sent to +1 111-111-1111", "success":true }
To verify the verification code simply pass the code along with the phone number.
GET https://api.authy.com/protected/{json,xml}/phones/verification/check
| Name | Type | Description |
|---|---|---|
| api_key | String | The Authy application API key. |
| country_code | Integer | The phone's country code. |
| phone_number | String | The phone number to send the verification code. |
| verification_code | String | The verification code that is being validated. |
| Name | Type | Description |
|---|---|---|
| success | Bool | Whether the operation was successful or not. |
| message | String | A message indicating the result of the operation. |
curl 'https://api.authy.com/protected/json/phones/verification/check?api_key=XXX' \ -d phone_number='111-111-111' \ -d country_code=1 \ -d verification_code='1234'
Sample response
{ "message":"Verification code is correct.", "success":true }
If you need to overwrite the default message sent to the user you can use the custom_message parameter. This is not enabled by default and you must contact [email protected] to request this parameter. Once enabled, it will allow you to send virtually any message you'd like in over 160 languages for SMS and 26 for automated voice calls. However you must manage the localization of the messages sent and you need to insert the Authy code into your message using the macro shown in the parameter below.
curl 'https://api.authy.com/protected/json/phones/verification/start?api_key=XXX' \ -d via='sms' \ -d phone_number='111-111-1111' \ -d country_code=1 \ -d custom_message='Your phone verification pin for Owl Bank is {{code}}'
Sample response
{ "carrier":"AT&T Mobility (New Cingular Wireless PCS, LLC)", "is_ported":false, "is_cellphone":true, "message":"Text message sent to +1 111-111-1111", "success":true }
curl 'https://api.authy.com/protected/json/phones/verification/start?api_key=XXX' \ -d via='call' \ -d phone_number='111-111-1111' \ -d country_code=1 \ -d locale='es' \ -d custom_message='Su código de verificación para Owl Bank es {{code}}'
Sample response
{ "carrier":"AT&T Mobility (New Cingular Wireless PCS, LLC)", "is_ported":false, "is_cellphone":true, "message":"Text message sent to +1 111-111-1111", "success":true }
Here is a sample response for invalid verification codes.
Sample response
{ "message":"Verification code is incorrect.", "success":false }
The following status codes are used:
200: Response is correct. The body of the response will include the data requested.
400: There was an error with the request. The body of the response will have more information.
401: Verification Code is invalid. If your API key is wrong a 401 will also be served, so check the response body, it might be that the API_KEY is invalid.
503: Service Unavailable Many reasons, body will include details An internal error on Authy. Your application is accessing an API call you do not have access to. API usage limit. If you reach API usage limits a 503 will be returned, please wait until you can do the call again.
When the API returns a status other than 200, we add an error code in the message body. For further information, please check the error codes page for a complete list of errors.