Number Verification API

Under CAMARA projectGSMA Certified API

The Number Verification API is part of the Open Gateway initiative, providing developers with access to network-based phone number validation. This API verifies user identity by confirming phone number ownership through network operator mechanisms, eliminating the need for manual verification processes.

Apply to join the Developer Hub and gain access to our Sandbox.

Getting started on the Telefónica Open Gateway Sandbox

API Overview

Technical Definition

The Number Verification CAMARA API validates user identity by confirming that the provided phone number matches the number associated with the user's device connection to the mobile network operator.

Available Operations

POST verify: Validates if the provided phone number matches the device's registered number. Returns a boolean result indicating verification status.

Check the API Reference
GET device-phone-number: Retrieves the phone number associated with the user's device without requiring input parameters.

This feature is pending availability

Technical Implementation

The API leverages network operator infrastructure to perform verification without requiring user interaction. This network-based approach provides:

Real-time validation against operator records
No dependency on SMS or voice calls
Transparent verification process for end users
Integration with existing network authentication mechanisms

The API can be combined with other Open Gateway APIs such as Device Location Verification or SIM SWAP detection to create comprehensive security solutions.

Why Frontend-Initiated Authentication is Required

The Number Verification API uses Authorization Code Flow (frontend-initiated) instead of CIBA (Client Initiated Backchannel Authentication) for a critical technical reason:

IP Address Verification: The core verification mechanism compares the phone number being verified against the IP address that the mobile network operator has assigned to that specific SIM card. This comparison can only be performed when the request originates from the user's mobile device.

Technical Implementation:

When a user's device connects to the mobile network, the operator assigns a specific IP address to that SIM card
The verification request must come from this assigned IP address to establish the connection between the phone number and the device
If the request originates from your backend server, the operator sees your datacenter's IP address instead of the user's mobile IP
This breaks the verification chain, as there's no way to correlate your server's IP with the user's phone number

Why CIBA Cannot Work for Number Verification:

CIBA flows are backend-initiated and use the server's IP address
The mobile operator cannot establish a relationship between your server's IP and the user's phone number
The fundamental verification mechanism (IP-to-phone-number matching) becomes impossible

This architectural requirement ensures that verification is truly tied to the physical device and SIM card being used, providing authentic network-level validation that cannot be spoofed or bypassed.

Use Cases and Benefits

Traditional verification methods using SMS or voice calls are vulnerable to SIM swapping, interception, and social engineering attacks. The Number Verification API addresses these security challenges through network-level validation.

The Number Verification API provides network-level authentication that validates phone number ownership through the mobile operator's infrastructure, offering superior security compared to conventional methods.

For desktop applications, the Number Verification API supports cross-device authentication through QR code scanning, enabling users to verify their phone number from their mobile device while using a desktop application.

Key Advantages

Network-Based Verification: Utilizes the mobile network operator's authentication mechanisms, providing verification without user interaction or exposure to interception.

Real-Time Validation: Immediate confirmation of phone number ownership through active network connection verification.

Enhanced Security: Eliminates vulnerabilities associated with SMS-based verification, including SIM swapping and message interception.

Seamless Integration: RESTful API design enables straightforward integration into existing authentication workflows.

The API verifies that the provided mobile phone number (MSISDN) corresponds to the device establishing the data connection, ensuring users access services from authenticated devices.

Network-Level Authentication Mechanism

The Number Verification API performs authentication through network infrastructure validation:

Core Verification Process:

IP Address Correlation: The mobile operator identifies which SIM card is assigned to the IP address making the request
Phone Number Matching: The operator compares the provided phone number with the SIM card associated with that IP address
Real-Time Validation: This comparison happens instantly using live network data, not stored databases

Technical Advantages:

No User Interaction Required: Verification is transparent to the end user
Immune to SIM Swapping: Uses current network connection, not historical data
Cannot Be Intercepted: No SMS or voice calls that can be redirected
Spoofing-Resistant: Requires actual network connection from the specific SIM card

Key Advantages Over Traditional Methods:

Network-Based Verification: Utilizes mobile operator authentication mechanisms without user interaction
Real-Time Validation: Immediate confirmation through active network connection verification
Enhanced Security: Eliminates SMS/voice vulnerabilities including SIM swapping and interception
Seamless Integration: RESTful API design for straightforward authentication workflow integration
Spoofing-Resistant: Requires actual network connection from the specific SIM card

This verification confirms that the provided mobile phone number (MSISDN) corresponds to the SIM card currently establishing the data connection, ensuring authentic device-to-identity binding.