openapi: 3.0.3 info: title: One Time Password SMS description: |- Service API to send short-lived OTPs (one time passwords) to a phone number via SMS and validate it afterwards, in order to verify the phone number as a proof of possession. # Relevant Definitions and concepts - **OTP**: *One Time password* is a one-time authorization code that is valid for only one login session or transaction. # API Functionality It enables a Service Provider (SP) to send an OTP code by SMS and validate it to verify the phone number (MSISDN) as a proof of possession. # Resources and Operations overview This API currently provides two endpoints, one to send an OTP to a given phone number and another to validate the code received as input. # Authorization and authentication The "Camara Security and Interoperability Profile" provides details of how an API consumer requests an access token. Please refer to Identity and Consent Management (https://github.com/camaraproject/IdentityAndConsentManagement/) for the released version of the profile. The specific authorization flows to be used will be agreed upon during the onboarding process, happening between the API consumer and the API provider, taking into account the declared purpose for accessing the API, whilst also being subject to the prevailing legal framework dictated by local legislation. In cases where personal data is processed by the API and users can exercise their rights through mechanisms such as opt-in and/or opt-out, the use of three-legged access tokens is mandatory. This ensures that the API remains in compliance with privacy regulations, upholding the principles of transparency and user-centric privacy-by-design. # Additional CAMARA error responses The list of error codes in this API specification is not exhaustive. Therefore the API specification may not document some non-mandatory error statuses as indicated in `CAMARA API Design Guide`. Please refer to the `CAMARA_common.yaml` of the Commonalities Release associated to this API version for a complete list of error responses. The applicable Commonalities Release can be identified in the `API Readiness Checklist` document associated to this API version. As a specific rule, error `501 - NOT_IMPLEMENTED` can be only a possible error response if it is explicitly documented in the API. version: wip x-camara-commonalities: 0.6 license: name: Apache 2.0 url: https://www.apache.org/licenses/LICENSE-2.0.html externalDocs: description: Product documentation at CAMARA url: https://github.com/camaraproject/OTPValidation servers: - url: "{apiRoot}/one-time-password-sms/vwip" variables: apiRoot: default: http://localhost:9091 description: API root, defined by the service provider, e.g. `api.example.com` or `api.example.com/somepath` tags: - name: OTP Management description: API operations to manage OTP codes paths: /send-code: post: tags: - OTP Management summary: Sends a message including an OTP code to the given phone number description: |- Sends an SMS with the desired message and an OTP code to the received phone number. operationId: sendCode parameters: - $ref: "#/components/parameters/x-correlator" requestBody: content: application/json: schema: $ref: '#/components/schemas/SendCodeBody' required: true responses: '200': description: OK headers: x-correlator: $ref: "#/components/headers/x-correlator" content: application/json: schema: $ref: '#/components/schemas/SendCodeResponse' '400': $ref: '#/components/responses/Generic400' '401': $ref: '#/components/responses/Generic401' '403': $ref: '#/components/responses/SendCodeForbiddenError403' '404': $ref: '#/components/responses/Generic404' '429': $ref: '#/components/responses/Generic429' security: - openId: - one-time-password-sms:send-validate /validate-code: post: tags: - OTP Management summary: Verifies the OTP received as input description: |- Verifies the code is valid for the received authenticationId operationId: validateCode parameters: - $ref: "#/components/parameters/x-correlator" requestBody: content: application/json: schema: $ref: '#/components/schemas/ValidateCodeBody' required: true responses: '204': description: The OTP was successfully validated headers: x-correlator: $ref: "#/components/headers/x-correlator" '400': $ref: '#/components/responses/ValidateCodeBadRequestError400' '401': $ref: '#/components/responses/Generic401' '403': $ref: '#/components/responses/Generic403' '404': $ref: '#/components/responses/Generic404' '429': $ref: '#/components/responses/Generic429' security: - openId: - one-time-password-sms:send-validate components: parameters: x-correlator: name: x-correlator in: header description: Correlation id for the different services schema: $ref: "#/components/schemas/XCorrelator" headers: x-correlator: description: Correlation id for the different services schema: $ref: "#/components/schemas/XCorrelator" schemas: XCorrelator: type: string pattern: ^[a-zA-Z0-9-_:;.\/<>{}]{0,256}$ example: "b4333c46-49c0-4f62-80d7-f0ef930f1c46" SendCodeBody: description: Structure to request sending a code to a phone number type: object properties: phoneNumber: $ref: '#/components/schemas/PhoneNumber' message: $ref: '#/components/schemas/Message' required: - message - phoneNumber SendCodeResponse: description: Structure to provide authentication identifier type: object properties: authenticationId: $ref: '#/components/schemas/AuthenticationId' required: - authenticationId ValidateCodeBody: description: Strcuture to request code verification type: object properties: authenticationId: $ref: '#/components/schemas/AuthenticationId' code: $ref: '#/components/schemas/Code' required: - authenticationId - code PhoneNumber: description: A public identifier addressing a telephone subscription. In mobile networks it corresponds to the MSISDN (Mobile Station International Subscriber Directory Number). In order to be globally unique it has to be formatted in international format, according to E.164 standard, prefixed with '+'. type: string pattern: '^\+[1-9][0-9]{4,14}$' example: '+346661113334' Message: type: string description: Message template used to compose the content of the SMS sent to the phone number. It must include the following label indicating where to include the short code `{{code}}` pattern: .*\{\{code\}\}.* maxLength: 160 example: '{{code}} is your short code to authenticate with Cool App via SMS' AuthenticationId: type: string description: unique id of the verification attempt the code belongs to. maxLength: 36 example: ea0840f3-3663-4149-bd10-c7c6b8912105 Code: type: string description: temporal, short code to be validated maxLength: 10 example: AJY3 ErrorInfo: description: Structure to describe error type: object required: - status - code - message properties: status: type: integer description: HTTP response status code code: type: string description: A human-readable code to describe the error message: type: string description: A human-readable description of what the event represents securitySchemes: openId: type: openIdConnect openIdConnectUrl: https://example.com/.well-known/openid-configuration responses: Generic400: description: Problem with the client request headers: x-correlator: $ref: "#/components/headers/x-correlator" content: application/json: schema: allOf: - $ref: "#/components/schemas/ErrorInfo" - type: object properties: status: enum: - 400 code: enum: - INVALID_ARGUMENT examples: GENERIC_400_INVALID_ARGUMENT: description: Invalid Argument. Generic Syntax Exception value: status: 400 code: INVALID_ARGUMENT message: Client specified an invalid argument, request body or query param. ValidateCodeBadRequestError400: description: |- Problem with the client request. In addition to regular scenario of `INVALID_ARGUMENT`, another scenarios may exist: - Too many unsuccessful attempts (`{"code": "ONE_TIME_PASSWORD_SMS.VERIFICATION_FAILED","message": "The maximum number of attempts for this authenticationId was exceeded without providing a valid OTP"}`) - Expired authenticationId (`{"code": "ONE_TIME_PASSWORD_SMS.VERIFICATION_EXPIRED","message": "The authenticationId is no longer valid"}`) - OTP is not valid for the provided authenticationId (`{"code": "ONE_TIME_PASSWORD_SMS.INVALID_OTP","message": "The provided OTP is not valid for this authenticationId"}`) headers: x-correlator: $ref: "#/components/headers/x-correlator" content: application/json: schema: allOf: - $ref: "#/components/schemas/ErrorInfo" - type: object properties: status: enum: - 400 code: enum: - INVALID_ARGUMENT - OUT_OF_RANGE - ONE_TIME_PASSWORD_SMS.VERIFICATION_FAILED - ONE_TIME_PASSWORD_SMS.VERIFICATION_EXPIRED - ONE_TIME_PASSWORD_SMS.INVALID_OTP examples: GENERIC_400_OUT_OF_RANGE: description: Out of Range. Specific Syntax Exception used when a given field has a pre-defined range or a invalid filter criteria combination is requested value: status: 400 code: OUT_OF_RANGE message: Client specified an invalid range. GENERIC_400_INVALID_ARGUMENT: value: status: 400 code: INVALID_ARGUMENT message: Client specified an invalid argument, request body or query param OTP_VALIDATION_400_VERIFICATION_FAILED: value: status: 400 code: ONE_TIME_PASSWORD_SMS.VERIFICATION_FAILED message: The maximum number of attempts for this authenticationId was exceeded without providing a valid OTP OTP_VALIDATION_400_VERIFICATION_EXPIRED: value: status: 400 code: ONE_TIME_PASSWORD_SMS.VERIFICATION_EXPIRED message: The authenticationId is no longer valid OTP_VALIDATION_400_INVALID_OTP: value: status: 400 code: ONE_TIME_PASSWORD_SMS.INVALID_OTP message: The provided OTP is not valid for this authenticationId Generic401: description: Authentication problem with the client request headers: x-correlator: $ref: "#/components/headers/x-correlator" content: application/json: schema: allOf: - $ref: "#/components/schemas/ErrorInfo" - type: object properties: status: enum: - 401 code: enum: - UNAUTHENTICATED examples: GENERIC_401_UNAUTHENTICATED: description: Request cannot be authenticated value: status: 401 code: UNAUTHENTICATED message: Request not authenticated due to missing, invalid, or expired credentials. Generic403: description: Client does not have sufficient permission headers: x-correlator: $ref: "#/components/headers/x-correlator" content: application/json: schema: allOf: - $ref: "#/components/schemas/ErrorInfo" - type: object properties: status: enum: - 403 code: enum: - PERMISSION_DENIED examples: GENERIC_403_PERMISSION_DENIED: description: Permission denied. OAuth2 token access does not have the required scope or when the user fails operational security value: status: 403 code: PERMISSION_DENIED message: Client does not have sufficient permissions to perform this action. SendCodeForbiddenError403: description: |- Client does not have sufficient permissions to perform this action. In addition to regular scenario of `PERMISSION_DENIED`, another scenarios may exist: - Too many code requests were sent (`{"code": "ONE_TIME_PASSWORD_SMS.MAX_OTP_CODES_EXCEEDED","message": "Too many OTPs have been requested for this MSISDN. Try later."}`) - The given phoneNumber can't receive an SMS due to business reasons in the operator, e.g. fraud, receiving SMS is not supported, etc (`{"code": "ONE_TIME_PASSWORD_SMS.PHONE_NUMBER_NOT_ALLOWED","message": "Phone_number can't receive an SMS due to business reasons in the operator."}`) - The given phoneNumber is blocked to receive SMS due to any blocking business reason in the operator (`{"code": "ONE_TIME_PASSWORD_SMS.PHONE_NUMBER_BLOCKED","message": "Phone_number is blocked to receive SMS due to any blocking business reason in the operator."}`) headers: x-correlator: $ref: "#/components/headers/x-correlator" content: application/json: schema: allOf: - $ref: "#/components/schemas/ErrorInfo" - type: object properties: status: enum: - 403 code: enum: - PERMISSION_DENIED - ONE_TIME_PASSWORD_SMS.MAX_OTP_CODES_EXCEEDED - ONE_TIME_PASSWORD_SMS.PHONE_NUMBER_NOT_ALLOWED - ONE_TIME_PASSWORD_SMS.PHONE_NUMBER_BLOCKED examples: GENERIC_403_PERMISSION_DENIED: value: status: 403 code: PERMISSION_DENIED message: Client does not have sufficient permissions to perform this action OTP_VALIDATION_403_MAX_OTP_CODES_EXCEEDED: value: status: 403 code: ONE_TIME_PASSWORD_SMS.MAX_OTP_CODES_EXCEEDED message: Too many OTPs have been requested for this MSISDN. Try later. OTP_VALIDATION_403_PHONE_NUMBER_NOT_ALLOWED: value: status: 403 code: ONE_TIME_PASSWORD_SMS.PHONE_NUMBER_NOT_ALLOWED message: Phone_number can't receive an SMS due to business reasons in the operator. OTP_VALIDATION_403_PHONE_NUMBER_BLOCKED: value: status: 403 code: ONE_TIME_PASSWORD_SMS.PHONE_NUMBER_BLOCKED message: Phone_number is blocked to receive SMS due to any blocking business reason in the operator. Generic404: description: Resource Not Found headers: x-correlator: $ref: "#/components/headers/x-correlator" content: application/json: schema: allOf: - $ref: "#/components/schemas/ErrorInfo" - type: object properties: status: enum: - 404 code: enum: - NOT_FOUND examples: GENERIC_404_NOT_FOUND: description: Resource is not found value: status: 404 code: NOT_FOUND message: The specified resource is not found. Generic429: description: Either out of resource quota or reaching rate limiting headers: x-correlator: $ref: "#/components/headers/x-correlator" content: application/json: schema: allOf: - $ref: "#/components/schemas/ErrorInfo" - type: object properties: status: enum: - 429 code: enum: - QUOTA_EXCEEDED - TOO_MANY_REQUESTS examples: GENERIC_429_QUOTA_EXCEEDED: description: Request is rejected due to exceeding a business quota limit value: status: 429 code: QUOTA_EXCEEDED message: Out of resource quota. GENERIC_429_TOO_MANY_REQUESTS: description: Access to the API has been temporarily blocked due to rate or spike arrest limits being reached value: status: 429 code: TOO_MANY_REQUESTS message: Rate limit reached.