Method: accounts.sendVerificationCode

Sends a SMS verification code for phone number sign-in.

To localize the text of the SMS sent to the user, set the HTTP header X-Firebase-Locale to the language code that corresponds with the user's locale.

An API key is required in the request in order to identify the Google Cloud project.

HTTP request

POST https://identitytoolkit.googleapis.com/v1/accounts:sendVerificationCode

The URL uses gRPC Transcoding syntax.

Request body

The request body contains data with the following structure:

JSON representation
{
  "phoneNumber": string,
  "iosReceipt": string,
  "iosSecret": string,
  "recaptchaToken": string,
  "tenantId": string,
  "autoRetrievalInfo": {
    object (AutoRetrievalInfo)
  },
  "safetyNetToken": string,
  "playIntegrityToken": string
}
Fields
phoneNumber

string

The phone number to send the verification code to in E.164 format.

iosReceipt

string

Receipt of successful iOS app token validation. At least one of (iosReceipt and iosSecret), recaptchaToken, or safetyNetToken must be specified to verify the verification code is being sent on behalf of a real app and not an emulator. This should come from the response of verifyIosClient. If present, the caller should also provide the iosSecret, as well as a bundle ID in the x-ios-bundle-identifier header, which must match the bundle ID from the verifyIosClient request.

iosSecret

string

Secret delivered to iOS app as a push notification. Should be passed with an iosReceipt as well as the x-ios-bundle-identifier header.

recaptchaToken

string

Recaptcha token for app verification. At least one of (iosReceipt and iosSecret), recaptchaToken, or safetyNetToken must be specified to verify the verification code is being sent on behalf of a real app and not an emulator. The recaptcha should be generated by calling getRecaptchaParams and the recaptcha token will be generated on user completion of the recaptcha challenge.

tenantId

string

Tenant ID of the Identity Platform tenant the user is signing in to.

autoRetrievalInfo

object (AutoRetrievalInfo)

Android only. Used by Google Play Services to identify the app for auto-retrieval.

safetyNetToken

string

Android only. Used to assert application identity in place of a recaptcha token. At least one of (iosReceipt and iosSecret), recaptchaToken, or safetyNetToken must be specified to verify the verification code is being sent on behalf of a real app and not an emulator. A SafetyNet Token can be generated via the SafetyNet Android Attestation API, with the Base64 encoding of the phoneNumber field as the nonce.

playIntegrityToken

string

Android only. Used to assert application identity in place of a recaptcha token (and safetyNetToken). At least one of (iosReceipt and iosSecret), recaptchaToken, , or playIntegrityToken must be specified to verify the verification code is being sent on behalf of a real app and not an emulator. A Play Integrity Token can be generated via the PlayIntegrity API with applying SHA256 to the phoneNumber field as the nonce.

Response body

Response message for accounts.sendVerificationCode.

If successful, the response body contains data with the following structure:

JSON representation
{
  "sessionInfo": string
}
Fields
sessionInfo

string

Encrypted session information. This can be used in signInWithPhoneNumber to authenticate the phone number.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

AutoRetrievalInfo

The information required to auto-retrieve an SMS.

JSON representation
{
  "appSignatureHash": string
}
Fields
appSignatureHash

string

The Android app's signature hash for Google Play Service's SMS Retriever API.