SMS Verification API Android
In this article, We will learn about the SMS verification using SMS verification API.
- API provides us 2 ways of handling OneTimePassword verification in android applications.
If you are having use case in your current applications or in future going to implement the OneTimePassword verification with phone number then you should consider SMS Verification API.
Handle verification in such a way that your user should not go back and forth with messaging app to get the CODE and enter it into your application.
SMS Verification API, provides 2 ways to handle the SMS verification
- SMS Retriever API
- SMS User Consent API
SMS Retriever API
It provides a fully automated user experience and should be used when possible.
It does, however, require you to place a custom hash code in the message body, and this may be difficult to do if you’re not the sender of that message.
SMS User Consent API
If you don’t have any control on server side to customize the content of the message.
It does not require the custom hash code. It does, however, require the user to approve your app’s request to access the message containing the verification code.
In order to minimize the chances of surfacing the wrong message to the user, SMS User Consent will check if the message contains a 4–10 character alphanumeric code containing at least one number.
It will also filter out messages from senders in the user’s Contacts list which means if sender’s number saved in contacts it will not be process by the API.
The differences are summarized in the table below:
Implementation of SMS User Consent API
To implement a SMS verification flow using the SMS User Consent API you need to interact with both a backend server to send the SMS as well as the SMS User Consent API to prompt the user for access to a single message containing a one-time code.
- API does not require any permissions, and displays the number(s) available on the phone or Google Account for the user to select.
- When the user selects a phone number it will be returned to the application in onActivityResult in E164 format
Step by step, your app and server must do the following to implement an SMS verification flow using the SMS User Consent API:
- Your app calls the SMS User Consent API to begin listening for an SMS response from the server. SMS message received prior to starting SMS User Consent will not be forwarded to your app.
- After you start the SMS User Consent API, your app makes a request to a server to verify a user’s phone number using SMS verification.
- When the user’s device receives the SMS message containing a one-time code, Google Play services displays the contents of the message to the user and asks for consent to make that text available to your app.
- If the user consents, the entire SMS message is made available to your app.
- Your app parses out the one-time code from the message text and sends it to the server.
Install dependencies
- Include the Play Services auth component in your app’s
build.gradle
file:
implementation 'com.google.android.gms:play-services-auth:19.0.0'
implementation 'com.google.android.gms:play-services-auth-api-phone:17.5.0'
Get the user’s phone number
If you have user’s phone number already you can skip this step:
Request phoneNumber before you start an SMS verification flow.
You can obtain the user’s phone number in a manner that is appropriate for your app.
Consider using the Smart Lock for Passwords hint selector to help the user fill out their phone number,
To use the hint selector:
Start listening for incoming messages
For the next five minutes, when the device receives an SMS message that contains a one-time code, Play services will broadcast to your app an intent to prompt the user for permission to read the message.
A message triggers the broadcast only if it meets these criteria:
- Message contains a 4–10 character alphanumeric string with at least one number.
- Message was sent by a phone number that’s not in the user’s contacts.
- If you specified the sender’s phone number, the message was sent by that number.
Handle these broadcasts with a broadcast receiver
- has the
SEND_PERMISSION
permission and - responds to
SMS_RETRIEVED_ACTION
intents.
To create and register the broadcast receiver: