Global System for Mobile Communications

GSMA Camara Project One Time Password API

One Time Password API delivers a short-lived one-time password to a mobile phone number via SMS. The API then validates the code as input by the end-user into the service, to verify proof of possession.

GitHub OpenAPI

Documentation

📖
Documentation
https://redocly.github.io/redoc/?url=https://raw.githubusercontent.com/camaraproject/OTPValidation/r1.2/code/API_definitions/one-time-password-sms.yaml&nocors

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/global-system-for-mobile-communications/refs/heads/main/openapi/one-time-password-api-openapi.yml

SDKs

📦
GitHubRepository
https://github.com/camaraproject/OTPValidation/releases/tag/r1.2

Other Resources

🔗
BrunoCollection
https://raw.githubusercontent.com/api-evangelist/global-system-for-mobile-communications/refs/heads/main/bruno/GSMA Camara Project One Time Password SMS/bruno.json
🔗
PostmanCollection
https://www.postman.com/api-evangelist/global-system-for-mobile-communications-gsma/collection/lm2bnug/gsma-camara-project-one-time-password-sms

OpenAPI Specification

one-time-password-api-openapi.yml Raw ↑ 
openapi: 3.0.3
info:
  title: Global System for Mobile Communications GSMA Camara Project One Time Password SMS
  description: >-
    Service Enabling Network Function API to send short-lived OTPs (one time
    passwords) to a phone number via SMS and validate it afterwards, in order to
    verify the phone number as a proof of possession.
  version: 1.0.0
  x-camara-commonalities: 0.4.0
  license:
    name: Apache 2.0
    url: https://www.apache.org/licenses/LICENSE-2.0.html
servers:
  - url: '{apiRoot}/one-time-password-sms/v1'
    variables:
      apiRoot:
        default: http://localhost:9091
        description: >-
          API root, defined by the service provider, e.g. `api.example.com` or
          `api.example.com/somepath`
tags:
  - name: OTP Management
    description: API operations to manage OTP codes
paths:
  /send-code:
    post:
      tags:
        - OTP Management
      summary: Global System for Mobile Communications Sends a message including an OTP code to the given phone number
      description: >-
        Sends an SMS with the desired message and an OTP code to the received
        phone number.
      operationId: sendCode
      parameters:
        - in: header
          name: x-correlator
          required: false
          description: Correlation id for the different services
          schema:
            type: string
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/SendCodeBody'
        required: true
      responses:
        '200':
          description: OK
          headers:
            x-correlator:
              description: Correlation id for the different services
              schema:
                type: string
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/SendCodeResponse'
        '400':
          $ref: '#/components/responses/Generic400'
        '401':
          $ref: '#/components/responses/Generic401'
        '403':
          $ref: '#/components/responses/SendCodeForbiddenError403'
        '404':
          $ref: '#/components/responses/Generic404'
        '406':
          $ref: '#/components/responses/Generic406'
        '415':
          $ref: '#/components/responses/Generic415'
        '429':
          $ref: '#/components/responses/Generic429'
        '500':
          $ref: '#/components/responses/Generic500'
        '503':
          $ref: '#/components/responses/Generic503'
        '504':
          $ref: '#/components/responses/Generic504'
      security:
        - openId:
            - one-time-password-sms:send-validate
  /validate-code:
    post:
      tags:
        - OTP Management
      summary: Global System for Mobile Communications Verifies the OTP received as input
      description: Verifies the code is valid for the received authenticationId
      operationId: validateCode
      parameters:
        - in: header
          name: x-correlator
          required: false
          description: Correlation id for the different services
          schema:
            type: string
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ValidateCodeBody'
        required: true
      responses:
        '204':
          description: The OTP was successfully validated
          headers:
            x-correlator:
              description: Correlation id for the different services
              schema:
                type: string
        '400':
          $ref: '#/components/responses/ValidateCodeBadRequestError400'
        '401':
          $ref: '#/components/responses/Generic401'
        '403':
          $ref: '#/components/responses/Generic403'
        '404':
          $ref: '#/components/responses/Generic404'
        '406':
          $ref: '#/components/responses/Generic406'
        '415':
          $ref: '#/components/responses/Generic415'
        '429':
          $ref: '#/components/responses/Generic429'
        '500':
          $ref: '#/components/responses/Generic500'
        '503':
          $ref: '#/components/responses/Generic503'
        '504':
          $ref: '#/components/responses/Generic504'
      security:
        - openId:
            - one-time-password-sms:send-validate
components:
  schemas:
    SendCodeBody:
      description: Structure to request sending a code to a phone number
      type: object
      properties:
        phoneNumber:
          $ref: '#/components/schemas/PhoneNumber'
        message:
          $ref: '#/components/schemas/Message'
      required:
        - phoneNumber
        - message
    SendCodeResponse:
      description: Structure to provide authentication identifier
      type: object
      properties:
        authenticationId:
          $ref: '#/components/schemas/AuthenticationId'
      required:
        - authenticationId
    ValidateCodeBody:
      description: Strcuture to request code verification
      type: object
      properties:
        authenticationId:
          $ref: '#/components/schemas/AuthenticationId'
        code:
          $ref: '#/components/schemas/Code'
      required:
        - authenticationId
        - code
    PhoneNumber:
      description: >-
        A public identifier addressing a telephone subscription. In mobile
        networks it corresponds to the MSISDN (Mobile Station International
        Subscriber Directory Number). In order to be globally unique it has to
        be formatted in international format, according to E.164 standard,
        prefixed with '+'.
      type: string
      pattern: ^\+[1-9][0-9]{4,14}$
      example: '+346661113334'
    Message:
      type: string
      description: >-
        Message template used to compose the content of the SMS sent to the
        phone number. It must include the following label indicating where to
        include the short code `{{code}}`
      pattern: .*\{\{code\}\}.*
      maxLength: 160
      example: '{{code}} is your short code to authenticate with Cool App via SMS'
    AuthenticationId:
      type: string
      description: unique id of the verification attempt the code belongs to.
      maxLength: 36
      example: ea0840f3-3663-4149-bd10-c7c6b8912105
    Code:
      type: string
      description: temporal, short code to be validated
      maxLength: 10
      example: AJY3
    ErrorInfo:
      description: Structure to describe error
      type: object
      required:
        - status
        - code
        - message
      properties:
        status:
          type: integer
          description: HTTP response status code
        code:
          type: string
          description: Code given to this error
        message:
          type: string
          description: Detailed error description
  securitySchemes:
    openId:
      type: openIdConnect
      openIdConnectUrl: https://example.com/.well-known/openid-configuration
  responses:
    Generic400:
      description: Problem with the client request
      headers:
        x-correlator:
          description: Correlation id for the different services
          schema:
            type: string
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorInfo'
          example:
            status: 400
            code: INVALID_ARGUMENT
            message: Client specified an invalid argument, request body or query param
    ValidateCodeBadRequestError400:
      description: >-
        Problem with the client request. In addition to regular scenario of
        `INVALID_ARGUMENT`, another scenarios may exist:
          - Too many unsuccessful attempts (`{"code": "ONE_TIME_PASSWORD_SMS.VERIFICATION_FAILED","message": "The maximum number of attempts for this authenticationId was exceeded without providing a valid OTP"}`)
          - Expired authenticationId (`{"code": "ONE_TIME_PASSWORD_SMS.VERIFICATION_EXPIRED","message": "The authenticationId is no longer valid"}`)
          - OTP is not valid for the provided authenticationId (`{"code": "ONE_TIME_PASSWORD_SMS.INVALID_OTP","message": "The provided OTP is not valid for this authenticationId"}`)
      headers:
        x-correlator:
          description: Correlation id for the different services
          schema:
            type: string
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorInfo'
          examples:
            InvalidArgument:
              value:
                status: 400
                code: INVALID_ARGUMENT
                message: >-
                  Client specified an invalid argument, request body or query
                  param
            VerificationFailed:
              value:
                status: 400
                code: ONE_TIME_PASSWORD_SMS.VERIFICATION_FAILED
                message: >-
                  The maximum number of attempts for this authenticationId was
                  exceeded without providing a valid OTP
            VerificationExpired:
              value:
                status: 400
                code: ONE_TIME_PASSWORD_SMS.VERIFICATION_EXPIRED
                message: The authenticationId is no longer valid
            InvalidOtp:
              value:
                status: 400
                code: ONE_TIME_PASSWORD_SMS.INVALID_OTP
                message: The provided OTP is not valid for this authenticationId
    Generic401:
      description: Authentication problem with the client request
      headers:
        x-correlator:
          description: Correlation id for the different services
          schema:
            type: string
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorInfo'
          example:
            status: 401
            code: UNAUTHENTICATED
            message: >-
              Request not authenticated due to missing, invalid, or expired
              credentials
    Generic403:
      description: Client does not have sufficient permission
      headers:
        x-correlator:
          description: Correlation id for the different services
          schema:
            type: string
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorInfo'
          example:
            status: 403
            code: PERMISSION_DENIED
            message: Client does not have sufficient permissions to perform this action
    SendCodeForbiddenError403:
      description: >-
        Client does not have sufficient permissions to perform this action.

        In addition to regular scenario of `PERMISSION_DENIED`, another
        scenarios may exist:
          - Too many code requests were sent (`{"code": "ONE_TIME_PASSWORD_SMS.MAX_OTP_CODES_EXCEEDED","message": "Too many OTPs have been requested for this MSISDN. Try later."}`)
          - The given phoneNumber can't receive an SMS due to business reasons in the operator, e.g. fraud, receiving SMS is not supported, etc (`{"code": "ONE_TIME_PASSWORD_SMS.PHONE_NUMBER_NOT_ALLOWED","message": "Phone_number can't receive an SMS due to business reasons in the operator."}`)
          - The given phoneNumber is blocked to receive SMS due to any blocking business reason in the operator (`{"code": "ONE_TIME_PASSWORD_SMS.PHONE_NUMBER_BLOCKED","message": "Phone_number is blocked to receive SMS due to any blocking business reason in the operator."}`)
      headers:
        x-correlator:
          description: Correlation id for the different services
          schema:
            type: string
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorInfo'
          examples:
            PermissionDenied:
              value:
                status: 403
                code: PERMISSION_DENIED
                message: >-
                  Client does not have sufficient permissions to perform this
                  action
            MaxOtpCodesExceeded:
              value:
                status: 403
                code: ONE_TIME_PASSWORD_SMS.MAX_OTP_CODES_EXCEEDED
                message: Too many OTPs have been requested for this MSISDN. Try later.
            PhoneNumberNotAllowed:
              value:
                status: 403
                code: ONE_TIME_PASSWORD_SMS.PHONE_NUMBER_NOT_ALLOWED
                message: >-
                  Phone_number can't receive an SMS due to business reasons in
                  the operator.
            Phone_number_blocked:
              value:
                status: 403
                code: ONE_TIME_PASSWORD_SMS.PHONE_NUMBER_BLOCKED
                message: >-
                  Phone_number is blocked to receive SMS due to any blocking
                  business reason in the operator.
    Generic404:
      description: Resource Not Found
      headers:
        x-correlator:
          description: Correlation id for the different services
          schema:
            type: string
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorInfo'
          example:
            status: 404
            code: NOT_FOUND
            message: A specified resource is not found
    Generic406:
      description: The server can not produce a response matching the content
      headers:
        x-correlator:
          description: Correlation id for the different services
          schema:
            type: string
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorInfo'
          example:
            status: 406
            code: NOT_ACCEPTABLE
            message: >-
              The server can't produce a response matching the content requested
              by the client through Accept-* headers
    Generic415:
      description: >-
        The server refuses to accept the request because the payload format is
        in an unsupported format
      headers:
        x-correlator:
          description: Correlation id for the different services
          schema:
            type: string
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorInfo'
          example:
            status: 415
            code: UNSUPPORTED_MEDIA_TYPE
            message: >-
              The server refuses to accept the request because the payload
              format is in an unsupported format
    Generic429:
      description: Either out of resource quota or reaching rate limiting
      headers:
        x-correlator:
          description: Correlation id for the different services
          schema:
            type: string
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorInfo'
          example:
            status: 429
            code: TOO_MANY_REQUESTS
            message: Either out of resource quota or reaching rate limiting
    Generic500:
      description: Server error
      headers:
        x-correlator:
          description: Correlation id for the different services
          schema:
            type: string
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorInfo'
          example:
            status: 500
            code: INTERNAL
            message: Server error
    Generic503:
      description: Service unavailable. Typically the server is down.
      headers:
        x-correlator:
          description: Correlation id for the different services
          schema:
            type: string
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorInfo'
          example:
            status: 503
            code: UNAVAILABLE
            message: Service unavailable
    Generic504:
      description: >-
        Request time exceeded. If it happens repeatedly, consider reducing the
        request complexity
      headers:
        x-correlator:
          description: Correlation id for the different services
          schema:
            type: string
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorInfo'
          example:
            status: 504
            code: TIMEOUT
            message: Request timeout exceeded. Try later.
externalDocs:
  description: Project documentation at CAMARA
  url: https://github.com/camaraproject/NumberVerificationSMS2FA