Method: accounts.sendVerificationCode

HTTP request
Request body
- JSON representation
Response body
- JSON representation
Authorization scopes
AutoRetrievalInfo
- JSON representation
Try it!

Sends a SMS verification code for phone number sign-in.

To localize the text of the SMS sent to the user, set the HTTP header X-Firebase-Locale to the language code that corresponds with the user's locale.

An API key is required in the request in order to identify the Google Cloud project.

HTTP request

POST https://identitytoolkit.googleapis.com/v1/accounts:sendVerificationCode

The URL uses gRPC Transcoding syntax.

Request body

The request body contains data with the following structure:

JSON representation

JSON representation
{ "phoneNumber": string, "iosReceipt": string, "iosSecret": string, "recaptchaToken": string, "tenantId": string, "autoRetrievalInfo": { object (`AutoRetrievalInfo`) }, "safetyNetToken": string, "playIntegrityToken": string, "captchaResponse": string, "clientType": enum (`ClientType`), "recaptchaVersion": enum (`RecaptchaVersion`) }

{
  "phoneNumber": string,
  "iosReceipt": string,
  "iosSecret": string,
  "recaptchaToken": string,
  "tenantId": string,
  "autoRetrievalInfo": {
    object (AutoRetrievalInfo)
  },
  "safetyNetToken": string,
  "playIntegrityToken": string,
  "captchaResponse": string,
  "clientType": enum (ClientType),
  "recaptchaVersion": enum (RecaptchaVersion)
}

Fields
`phoneNumber`	`string` The phone number to send the verification code to in E.164 format.
`iosReceipt`	`string` Receipt of successful iOS app token validation. At least one of (`iosReceipt` and `iosSecret`), `recaptchaToken`, or `safetyNetToken` must be specified to verify the verification code is being sent on behalf of a real app and not an emulator, if 'captchaResponse' is not used (reCAPTCHA enterprise is not enabled). This should come from the response of verifyIosClient. If present, the caller should also provide the `iosSecret`, as well as a bundle ID in the `x-ios-bundle-identifier` header, which must match the bundle ID from the verifyIosClient request.
`iosSecret`	`string` Secret delivered to iOS app as a push notification. Should be passed with an `iosReceipt` as well as the `x-ios-bundle-identifier` header.
`recaptchaToken`	`string` Recaptcha token for app verification. At least one of (`iosReceipt` and `iosSecret`), `recaptchaToken`, or `safetyNetToken` must be specified to verify the verification code is being sent on behalf of a real app and not an emulator, if 'captchaResponse' is not used (reCAPTCHA enterprise is not enabled). The recaptcha should be generated by calling getRecaptchaParams and the recaptcha token will be generated on user completion of the recaptcha challenge.
`tenantId`	`string` Tenant ID of the Identity Platform tenant the user is signing in to.
`autoRetrievalInfo`	`object (AutoRetrievalInfo)` Android only. Used by Google Play Services to identify the app for auto-retrieval.
`safetyNetToken`	`string` Android only. Used to assert application identity in place of a recaptcha token. At least one of (`iosReceipt` and `iosSecret`), `recaptchaToken`, or `safetyNetToken` must be specified to verify the verification code is being sent on behalf of a real app and not an emulator, if 'captchaResponse' is not used (reCAPTCHA enterprise is not enabled). A SafetyNet Token can be generated via the SafetyNet Android Attestation API, with the Base64 encoding of the `phoneNumber` field as the nonce.
`playIntegrityToken`	`string` Android only. Used to assert application identity in place of a recaptcha token (and safetyNetToken). At least one of (`iosReceipt` and `iosSecret`), `recaptchaToken`, , or `playIntegrityToken` must be specified to verify the verification code is being sent on behalf of a real app and not an emulator, if 'captchaResponse' is not used (reCAPTCHA enterprise is not enabled). A Play Integrity Token can be generated via the PlayIntegrity API with applying SHA256 to the `phoneNumber` field as the nonce.
`captchaResponse`	`string` Optional. The reCAPTCHA Enterprise token provided by the reCAPTCHA client-side integration. Required when reCAPTCHA enterprise is enabled.
`clientType`	`enum (ClientType)` Optional. The client type, web, android or ios. Required when reCAPTCHA Enterprise is enabled.
`recaptchaVersion`	`enum (RecaptchaVersion)` Optional. The reCAPTCHA version of the reCAPTCHA token in the captchaResponse. Required when reCAPTCHA Enterprise is enabled.

Response body

Response message for accounts.sendVerificationCode.

If successful, the response body contains data with the following structure:

JSON representation
{ "sessionInfo": string }

Fields

Fields
`sessionInfo`	`string` Encrypted session information. This can be used in signInWithPhoneNumber to authenticate the phone number.

sessionInfo

string

Encrypted session information. This can be used in signInWithPhoneNumber to authenticate the phone number.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

AutoRetrievalInfo

The information required to auto-retrieve an SMS.

JSON representation
{ "appSignatureHash": string }

Fields

Fields
`appSignatureHash`	`string` The Android app's signature hash for Google Play Service's SMS Retriever API.

appSignatureHash

string

The Android app's signature hash for Google Play Service's SMS Retriever API.