The CAMARA project's Number Verification API is crafted to validate the mobile phone number active on a device. Incorporated into the CodeB Identity Broker, this API extracts the declared mobile number from the OpenID Connect token, ensuring its alignment with the device's actual number. Moreover, it proactively confirms the association of the mobile's cryptographic material (public keys) with the mobile number, offering a robust defense against potential threats like SIM or device swapping. Additionally, service providers have the capability to fetch the phone number associated with a user's authenticated access token.
Key Features:
Real-time phone number verification.
Works directly through mobile network connections.
Validates active SIM connections without spoofing or cloning.
Ensures cryptographic material is bound to the declared mobile number.
API Endpoints:
1. Verify Phone Number:
Endpoint: `POST /number-verification/v0/verify`
Purpose: Checks if a given phone number (either in plain text or hashed) matches the one currently in use by the user.
2. Retrieve Device Phone Number:
Endpoint: `GET /number-verification/v0/device-phone-number`
Purpose: Returns the phone number linked to the access token, allowing API clients to authenticate the number.
Authentication:
The API uses OAUTH 2.0 auth_code grant, allowing three-legged Access Tokens. Client applications must employ OIDC-based authentication methods.
Error Handling:
The API adheres to REST design principles, using standard HTTP status codes. Errors range from invalid arguments (`400`) to server errors (`500`) and timeouts (`504`).