Method: accounts.sendOobCode

Sends an out-of-band confirmation code for an account. Requests from a authenticated request can optionally return a link including the OOB code instead of sending it.

HTTP request

POST https://identitytoolkit.googleapis.com/v1/accounts:sendOobCode

The URL uses gRPC Transcoding syntax.

Request body

The request body contains data with the following structure:

JSON representation
{
  "requestType": enum (OobReqType),
  "email": string,
  "challenge": string,
  "captchaResp": string,
  "userIp": string,
  "newEmail": string,
  "idToken": string,
  "continueUrl": string,
  "iOSBundleId": string,
  "iOSAppStoreId": string,
  "androidPackageName": string,
  "androidInstallApp": boolean,
  "androidMinimumVersion": string,
  "canHandleCodeInApp": boolean,
  "tenantId": string,
  "targetProjectId": string,
  "dynamicLinkDomain": string,
  "returnOobLink": boolean,
  "clientType": enum (ClientType),
  "recaptchaVersion": enum (RecaptchaVersion)
}
Fields
requestType

enum (OobReqType)

Required. The type of out-of-band (OOB) code to send. Depending on this value, other fields in this request will be required and/or have different meanings. There are 4 different OOB codes that can be sent: * PASSWORD_RESET * EMAIL_SIGNIN * VERIFY_EMAIL * VERIFY_AND_CHANGE_EMAIL

email

string

The account's email address to send the OOB code to, and generally the email address of the account that needs to be updated. Required for PASSWORD_RESET, EMAIL_SIGNIN, and VERIFY_EMAIL. Only required for VERIFY_AND_CHANGE_EMAIL requests when returnOobLink is set to true. In this case, it is the original email of the user.

challenge
(deprecated)

string

captchaResp

string

For a PASSWORD_RESET request, a reCaptcha response is required when the system detects possible abuse activity. In those cases, this is the response from the reCaptcha challenge used to verify the caller.

userIp

string

The IP address of the caller. Required only for PASSWORD_RESET requests.

newEmail

string

The email address the account is being updated to. Required only for VERIFY_AND_CHANGE_EMAIL requests.

idToken

string

An ID token for the account. It is required for VERIFY_AND_CHANGE_EMAIL and VERIFY_EMAIL requests unless returnOobLink is set to true.

continueUrl

string

The Url to continue after user clicks the link sent in email. This is the url that will allow the web widget to handle the OOB code.

iOSBundleId

string

If an associated iOS app can handle the OOB code, the iOS bundle id of this app. This will allow the correct app to open if it is already installed.

iOSAppStoreId

string

If an associated iOS app can handle the OOB code, the App Store id of this app. This will allow App Store to open to the correct app if the app is not yet installed.

androidPackageName

string

If an associated android app can handle the OOB code, the Android package name of the android app that will handle the callback when this OOB code is used. This will allow the correct app to open if it is already installed, or allow Google Play Store to open to the correct app if it is not yet installed.

androidInstallApp

boolean

If an associated android app can handle the OOB code, whether or not to install the android app on the device where the link is opened if the app is not already installed.

androidMinimumVersion

string

If an associated android app can handle the OOB code, the minimum version of the app. If the version on the device is lower than this version then the user is taken to Google Play Store to upgrade the app.

canHandleCodeInApp

boolean

When set to true, the OOB code link will be be sent as a Universal Link or an Android App Link and will be opened by the corresponding app if installed. If not set, or set to false, the OOB code will be sent to the web widget first and then on continue will redirect to the app if installed.

tenantId

string

The tenant ID of the Identity Platform tenant the account belongs to.

targetProjectId

string

The Project ID of the Identity Platform project which the account belongs to. To specify this field, it requires a Google OAuth 2.0 credential with proper permissions.

Authorization requires the following IAM permission on the specified resource targetProjectId:

  • firebaseauth.users.sendEmail
clientType

enum (ClientType)

The client type: web, Android or iOS. Required when reCAPTCHA Enterprise protection is enabled.

recaptchaVersion

enum (RecaptchaVersion)

The reCAPTCHA version of the reCAPTCHA token in the captchaResponse.

Response body

If successful, the response body contains an instance of GetOobCodeResponse.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.