Method: accounts.sendVerificationCode

Sends a SMS verification code for phone number sign-in.

To localize the text of the SMS sent to the user, set the HTTP header X-Firebase-Locale to the language code that corresponds with the user's locale.

An API key is required in the request in order to identify the Google Cloud project.

HTTP request

POST https://identitytoolkit.googleapis.com/v1/accounts:sendVerificationCode

The URL uses gRPC Transcoding syntax.

Request body

The request body contains data with the following structure:

JSON representation
{
  "phoneNumber": string,
  "iosReceipt": string,
  "iosSecret": string,
  "recaptchaToken": string,
  "tenantId": string,
  "autoRetrievalInfo": {
    object (AutoRetrievalInfo)
  },
  "safetyNetToken": string,
  "playIntegrityToken": string,
  "captchaResponse": string,
  "clientType": enum (ClientType),
  "recaptchaVersion": enum (RecaptchaVersion)
}
Fields
phoneNumber

string

The phone number to send the verification code to in E.164 format.

iosReceipt

string

Receipt of successful iOS app token validation. At least one of (iosReceipt and iosSecret), recaptchaToken, or safetyNetToken must be specified to verify the verification code is being sent on behalf of a real app and not an emulator, if 'captchaResponse' is not used (reCAPTCHA enterprise is not enabled). This should come from the response of verifyIosClient. If present, the caller should also provide the iosSecret, as well as a bundle ID in the x-ios-bundle-identifier header, which must match the bundle ID from the verifyIosClient request.

iosSecret

string

Secret delivered to iOS app as a push notification. Should be passed with an iosReceipt as well as the x-ios-bundle-identifier header.

recaptchaToken

string

Recaptcha token for app verification. At least one of (iosReceipt and iosSecret), recaptchaToken, or safetyNetToken must be specified to verify the verification code is being sent on behalf of a real app and not an emulator, if 'captchaResponse' is not used (reCAPTCHA enterprise is not enabled). The recaptcha should be generated by calling getRecaptchaParams and the recaptcha token will be generated on user completion of the recaptcha challenge.

tenantId

string

Tenant ID of the Identity Platform tenant the user is signing in to.

autoRetrievalInfo

object (AutoRetrievalInfo)

Android only. Used by Google Play Services to identify the app for auto-retrieval.

safetyNetToken

string

Android only. Used to assert application identity in place of a recaptcha token. At least one of (iosReceipt and iosSecret), recaptchaToken, or safetyNetToken must be specified to verify the verification code is being sent on behalf of a real app and not an emulator, if 'captchaResponse' is not used (reCAPTCHA enterprise is not enabled). A SafetyNet Token can be generated via the SafetyNet Android Attestation API, with the Base64 encoding of the phoneNumber field as the nonce.

playIntegrityToken

string

Android only. Used to assert application identity in place of a recaptcha token (and safetyNetToken). At least one of (iosReceipt and iosSecret), recaptchaToken, , or playIntegrityToken must be specified to verify the verification code is being sent on behalf of a real app and not an emulator, if 'captchaResponse' is not used (reCAPTCHA enterprise is not enabled). A Play Integrity Token can be generated via the PlayIntegrity API with applying SHA256 to the phoneNumber field as the nonce.

captchaResponse

string

Optional. The reCAPTCHA Enterprise token provided by the reCAPTCHA client-side integration. Required when reCAPTCHA enterprise is enabled.

clientType

enum (ClientType)

Optional. The client type, web, android or ios. Required when reCAPTCHA Enterprise is enabled.

recaptchaVersion

enum (RecaptchaVersion)

Optional. The reCAPTCHA version of the reCAPTCHA token in the captchaResponse. Required when reCAPTCHA Enterprise is enabled.

Response body

Response message for accounts.sendVerificationCode.

If successful, the response body contains data with the following structure:

JSON representation
{
  "sessionInfo": string
}
Fields
sessionInfo

string

Encrypted session information. This can be used in signInWithPhoneNumber to authenticate the phone number.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

AutoRetrievalInfo

The information required to auto-retrieve an SMS.

JSON representation
{
  "appSignatureHash": string
}
Fields
appSignatureHash

string

The Android app's signature hash for Google Play Service's SMS Retriever API.