CAMARA One Time Password SMS API

openapi: 3.0.3
info:
  title: One Time Password SMS
  description: |-
    Service API to send short-lived OTPs (one time passwords) to a phone number via SMS and validate it afterwards, in order to verify the phone number as a proof of possession.

    # Relevant  Definitions and concepts
    - **OTP**: *One Time password* is a one-time authorization code that is valid for only one login session or transaction.

    # API Functionality
    It enables a Service Provider (SP) to send an OTP code by SMS and validate it to verify the phone number (MSISDN) as a proof of possession.

    # Resources and Operations overview
    This API currently provides two endpoints, one to send an OTP to a given phone number and another to validate the code received as input.

    # Authorization and authentication

    The "Camara Security and Interoperability Profile" provides details of how an API consumer requests an access token. Please refer to Identity and Consent Management (https://github.com/camaraproject/IdentityAndConsentManagement/) for the released version of the profile.

    The specific authorization flows to be used will be agreed upon during the onboarding process, happening between the API consumer and the API provider, taking into account the declared purpose for accessing the API, whilst also being subject to the prevailing legal framework dictated by local legislation.

    In cases where personal data is processed by the API and users can exercise their rights through mechanisms such as opt-in and/or opt-out, the use of three-legged access tokens is mandatory. This ensures that the API remains in compliance with privacy regulations, upholding the principles of transparency and user-centric privacy-by-design.

    # Additional CAMARA error responses
    The list of error codes in this API specification is not exhaustive. Therefore the API specification may not document some non-mandatory error statuses as indicated in `CAMARA API Design Guide`.

    Please refer to the `CAMARA_common.yaml` of the Commonalities Release associated to this API version for a complete list of error responses. The applicable Commonalities Release can be identified in the `API Readiness Checklist` document associated to this API version.

    As a specific rule, error `501 - NOT_IMPLEMENTED` can be only a possible error response if it is explicitly documented in the API.

  version: wip
  x-camara-commonalities: 0.6
  license:
    name: Apache 2.0
    url: https://www.apache.org/licenses/LICENSE-2.0.html
externalDocs:
  description: Product documentation at CAMARA
  url: https://github.com/camaraproject/OTPValidation
servers:
  - url: "{apiRoot}/one-time-password-sms/vwip"
    variables:
      apiRoot:
        default: http://localhost:9091
        description: API root, defined by the service provider, e.g. `api.example.com` or `api.example.com/somepath`
tags:
  - name: OTP Management
    description: API operations to manage OTP codes
paths:
  /send-code:
    post:
      tags:
        - OTP Management
      summary: Sends a message including an OTP code to the given phone number
      description: |-
        Sends an SMS with the desired message and an OTP code to the received phone number.
      operationId: sendCode
      parameters:
        - $ref: "#/components/parameters/x-correlator"
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/SendCodeBody'
        required: true
      responses:
        '200':
          description: OK
          headers:
            x-correlator:
              $ref: "#/components/headers/x-correlator"
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/SendCodeResponse'
        '400':
          $ref: '#/components/responses/Generic400'
        '401':
          $ref: '#/components/responses/Generic401'
        '403':
          $ref: '#/components/responses/SendCodeForbiddenError403'
        '404':
          $ref: '#/components/responses/Generic404'
        '429':
          $ref: '#/components/responses/Generic429'
      security:
        - openId:
            - one-time-password-sms:send-validate
  /validate-code:
    post:
      tags:
        - OTP Management
      summary: Verifies the OTP received as input
      description: |-
        Verifies the code is valid for the received authenticationId
      operationId: validateCode
      parameters:
        - $ref: "#/components/parameters/x-correlator"
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ValidateCodeBody'
        required: true
      responses:
        '204':
          description: The OTP was successfully validated
          headers:
            x-correlator:
              $ref: "#/components/headers/x-correlator"
        '400':
          $ref: '#/components/responses/ValidateCodeBadRequestError400'
        '401':
          $ref: '#/components/responses/Generic401'
        '403':
          $ref: '#/components/responses/Generic403'
        '404':
          $ref: '#/components/responses/Generic404'
        '429':
          $ref: '#/components/responses/Generic429'
      security:
        - openId:
            - one-time-password-sms:send-validate
components:
  parameters:
    x-correlator:
      name: x-correlator
      in: header
      description: Correlation id for the different services
      schema:
        $ref: "#/components/schemas/XCorrelator"
  headers:
    x-correlator:
      description: Correlation id for the different services
      schema:
        $ref: "#/components/schemas/XCorrelator"
  schemas:
    XCorrelator:
      type: string
      pattern: ^[a-zA-Z0-9-_:;.\/<>{}]{0,256}$
      example: "b4333c46-49c0-4f62-80d7-f0ef930f1c46"
    SendCodeBody:
      description: Structure to request sending a code to a phone number
      type: object
      properties:
        phoneNumber:
          $ref: '#/components/schemas/PhoneNumber'
        message:
          $ref: '#/components/schemas/Message'
      required:
        - message
        - phoneNumber
    SendCodeResponse:
      description: Structure to provide authentication identifier
      type: object
      properties:
        authenticationId:
          $ref: '#/components/schemas/AuthenticationId'
      required:
        - authenticationId
    ValidateCodeBody:
      description: Strcuture to request code verification
      type: object
      properties:
        authenticationId:
          $ref: '#/components/schemas/AuthenticationId'
        code:
          $ref: '#/components/schemas/Code'
      required:
        - authenticationId
        - code
    PhoneNumber:
      description: A public identifier addressing a telephone subscription. In mobile networks it corresponds to the MSISDN (Mobile Station International Subscriber Directory Number). In order to be globally unique it has to be formatted in international format, according to E.164 standard, prefixed with '+'.
      type: string
      pattern: '^\+[1-9][0-9]{4,14}$'
      example: '+346661113334'
    Message:
      type: string
      description: Message template used to compose the content of the SMS sent to the phone number. It must include the following label indicating where to include the short code `{{code}}`
      pattern: .*\{\{code\}\}.*
      maxLength: 160
      example: '{{code}} is your short code to authenticate with Cool App via SMS'
    AuthenticationId:
      type: string
      description: unique id of the verification attempt the code belongs to.
      maxLength: 36
      example: ea0840f3-3663-4149-bd10-c7c6b8912105
    Code:
      type: string
      description: temporal, short code to be validated
      maxLength: 10
      example: AJY3
    ErrorInfo:
      description: Structure to describe error
      type: object
      required:
        - status
        - code
        - message
      properties:
        status:
          type: integer
          description: HTTP response status code
        code:
          type: string
          description: A human-readable code to describe the error
        message:
          type: string
          description: A human-readable description of what the event represents
  securitySchemes:
    openId:
      type: openIdConnect
      openIdConnectUrl: https://example.com/.well-known/openid-configuration
  responses:
    Generic400:
      description: Problem with the client request
      headers:
        x-correlator:
          $ref: "#/components/headers/x-correlator"
      content:
        application/json:
          schema:
            allOf:
              - $ref: "#/components/schemas/ErrorInfo"
              - type: object
                properties:
                  status:
                    enum:
                      - 400
                  code:
                    enum:
                      - INVALID_ARGUMENT
          examples:
            GENERIC_400_INVALID_ARGUMENT:
              description: Invalid Argument. Generic Syntax Exception
              value:
                status: 400
                code: INVALID_ARGUMENT
                message: Client specified an invalid argument, request body or query param.
    ValidateCodeBadRequestError400:
      description: |-
        Problem with the client request. In addition to regular scenario of `INVALID_ARGUMENT`, another scenarios may exist:
          - Too many unsuccessful attempts (`{"code": "ONE_TIME_PASSWORD_SMS.VERIFICATION_FAILED","message": "The maximum number of attempts for this authenticationId was exceeded without providing a valid OTP"}`)
          - Expired authenticationId (`{"code": "ONE_TIME_PASSWORD_SMS.VERIFICATION_EXPIRED","message": "The authenticationId is no longer valid"}`)
          - OTP is not valid for the provided authenticationId (`{"code": "ONE_TIME_PASSWORD_SMS.INVALID_OTP","message": "The provided OTP is not valid for this authenticationId"}`)
      headers:
        x-correlator:
          $ref: "#/components/headers/x-correlator"
      content:
        application/json:
          schema:
            allOf:
              - $ref: "#/components/schemas/ErrorInfo"
              - type: object
                properties:
                  status:
                    enum:
                      - 400
                  code:
                    enum:
                      - INVALID_ARGUMENT
                      - OUT_OF_RANGE
                      - ONE_TIME_PASSWORD_SMS.VERIFICATION_FAILED
                      - ONE_TIME_PASSWORD_SMS.VERIFICATION_EXPIRED
                      - ONE_TIME_PASSWORD_SMS.INVALID_OTP
          examples:
            GENERIC_400_OUT_OF_RANGE:
              description: Out of Range. Specific Syntax Exception used when a given field has a pre-defined range or a invalid filter criteria combination is requested
              value:
                status: 400
                code: OUT_OF_RANGE
                message: Client specified an invalid range.
            GENERIC_400_INVALID_ARGUMENT:
              value:
                status: 400
                code: INVALID_ARGUMENT
                message: Client specified an invalid argument, request body or query param
            OTP_VALIDATION_400_VERIFICATION_FAILED:
              value:
                status: 400
                code: ONE_TIME_PASSWORD_SMS.VERIFICATION_FAILED
                message: The maximum number of attempts for this authenticationId was exceeded without providing a valid OTP
            OTP_VALIDATION_400_VERIFICATION_EXPIRED:
              value:
                status: 400
                code: ONE_TIME_PASSWORD_SMS.VERIFICATION_EXPIRED
                message: The authenticationId is no longer valid
            OTP_VALIDATION_400_INVALID_OTP:
              value:
                status: 400
                code: ONE_TIME_PASSWORD_SMS.INVALID_OTP
                message: The provided OTP is not valid for this authenticationId
    Generic401:
      description: Authentication problem with the client request
      headers:
        x-correlator:
          $ref: "#/components/headers/x-correlator"
      content:
        application/json:
          schema:
            allOf:
              - $ref: "#/components/schemas/ErrorInfo"
              - type: object
                properties:
                  status:
                    enum:
                      - 401
                  code:
                    enum:
                      - UNAUTHENTICATED
          examples:
            GENERIC_401_UNAUTHENTICATED:
              description: Request cannot be authenticated
              value:
                status: 401
                code: UNAUTHENTICATED
                message: Request not authenticated due to missing, invalid, or expired credentials.
    Generic403:
      description: Client does not have sufficient permission
      headers:
        x-correlator:
          $ref: "#/components/headers/x-correlator"
      content:
        application/json:
          schema:
            allOf:
              - $ref: "#/components/schemas/ErrorInfo"
              - type: object
                properties:
                  status:
                    enum:
                      - 403
                  code:
                    enum:
                      - PERMISSION_DENIED
          examples:
            GENERIC_403_PERMISSION_DENIED:
              description: Permission denied. OAuth2 token access does not have the required scope or when the user fails operational security
              value:
                status: 403
                code: PERMISSION_DENIED
                message: Client does not have sufficient permissions to perform this action.
    SendCodeForbiddenError403:
      description: |-
        Client does not have sufficient permissions to perform this action.
        In addition to regular scenario of `PERMISSION_DENIED`, another scenarios may exist:
          - Too many code requests were sent (`{"code": "ONE_TIME_PASSWORD_SMS.MAX_OTP_CODES_EXCEEDED","message": "Too many OTPs have been requested for this MSISDN. Try later."}`)
          - The given phoneNumber can't receive an SMS due to business reasons in the operator, e.g. fraud, receiving SMS is not supported, etc (`{"code": "ONE_TIME_PASSWORD_SMS.PHONE_NUMBER_NOT_ALLOWED","message": "Phone_number can't receive an SMS due to business reasons in the operator."}`)
          - The given phoneNumber is blocked to receive SMS due to any blocking business reason in the operator (`{"code": "ONE_TIME_PASSWORD_SMS.PHONE_NUMBER_BLOCKED","message": "Phone_number is blocked to receive SMS due to any blocking business reason in the operator."}`)
      headers:
        x-correlator:
          $ref: "#/components/headers/x-correlator"
      content:
        application/json:
          schema:
            allOf:
              - $ref: "#/components/schemas/ErrorInfo"
              - type: object
                properties:
                  status:
                    enum:
                      - 403
                  code:
                    enum:
                      - PERMISSION_DENIED
                      - ONE_TIME_PASSWORD_SMS.MAX_OTP_CODES_EXCEEDED
                      - ONE_TIME_PASSWORD_SMS.PHONE_NUMBER_NOT_ALLOWED
                      - ONE_TIME_PASSWORD_SMS.PHONE_NUMBER_BLOCKED
          examples:
            GENERIC_403_PERMISSION_DENIED:
              value:
                status: 403
                code: PERMISSION_DENIED
                message: Client does not have sufficient permissions to perform this action
            OTP_VALIDATION_403_MAX_OTP_CODES_EXCEEDED:
              value:
                status: 403
                code: ONE_TIME_PASSWORD_SMS.MAX_OTP_CODES_EXCEEDED
                message: Too many OTPs have been requested for this MSISDN. Try later.
            OTP_VALIDATION_403_PHONE_NUMBER_NOT_ALLOWED:
              value:
                status: 403
                code: ONE_TIME_PASSWORD_SMS.PHONE_NUMBER_NOT_ALLOWED
                message: Phone_number can't receive an SMS due to business reasons in the operator.
            OTP_VALIDATION_403_PHONE_NUMBER_BLOCKED:
              value:
                status: 403
                code: ONE_TIME_PASSWORD_SMS.PHONE_NUMBER_BLOCKED
                message: Phone_number is blocked to receive SMS due to any blocking business reason in the operator.
    Generic404:
      description: Resource Not Found
      headers:
        x-correlator:
          $ref: "#/components/headers/x-correlator"
      content:
        application/json:
          schema:
            allOf:
              - $ref: "#/components/schemas/ErrorInfo"
              - type: object
                properties:
                  status:
                    enum:
                      - 404
                  code:
                    enum:
                      - NOT_FOUND
          examples:
            GENERIC_404_NOT_FOUND:
              description: Resource is not found
              value:
                status: 404
                code: NOT_FOUND
                message: The specified resource is not found.
    Generic429:
      description: Either out of resource quota or reaching rate limiting
      headers:
        x-correlator:
          $ref: "#/components/headers/x-correlator"
      content:
        application/json:
          schema:
            allOf:
              - $ref: "#/components/schemas/ErrorInfo"
              - type: object
                properties:
                  status:
                    enum:
                      - 429
                  code:
                    enum:
                      - QUOTA_EXCEEDED
                      - TOO_MANY_REQUESTS
          examples:
            GENERIC_429_QUOTA_EXCEEDED:
              description: Request is rejected due to exceeding a business quota limit
              value:
                status: 429
                code: QUOTA_EXCEEDED
                message: Out of resource quota.
            GENERIC_429_TOO_MANY_REQUESTS:
              description: Access to the API has been temporarily blocked due to rate or spike arrest limits being reached
              value:
                status: 429
                code: TOO_MANY_REQUESTS
                message: Rate limit reached.