Verify Email/Phone Number
Authentication API that can be called from your mobile apps. This API utilizes an in-app webview with cookies sharing to allow a single-sign-on for bypassing email and phone number verification.
Last updated
Authentication API that can be called from your mobile apps. This API utilizes an in-app webview with cookies sharing to allow a single-sign-on for bypassing email and phone number verification.
Last updated
Concepts: Learn about how Sign in with Email/Phone Number works.
Verifying email and phone number in your mobile app using our Authentication API consists of the following steps:
Open a WebView within your app with shared cookies
Direct users to Cotter's Auth page
Redirect back to your app with an authorization code
Call Cotter API with the authorization code
Get back the user's email or phone number, and whether or not it's verified
Here's an example on opening the in-app Browser from iOS and Android
Android: Use the Trusted Web Activity
iOS: Use the ASWebAuthenticationSession
For mobile apps, we're going to use the OAuth 2.0 Authorization Code Flow with Proof Key for Code Exchange (PKCE). This flow is recommended for Mobile Apps because:
Mobile apps can't securely store the Secret Key. This is because decompiling the App will reveal the Secret Key, and there's only one secret key so it'll be the same for all users.
Sending tokens to Custom URL schemes (ex. YourApp://) will potentially expose the tokens to malicious apps.
Create a code_verifier
and a code_challenge
Request Authorization from Cotter: Redirect user to Cotter to verify their email/phone and receive an authorization_code
back to your app.
Request Tokens and Identity: Send your authorization_code
and code_verifier
to Cotter server and get back a token
and the user's email or phone number.
Include Token to your server: The token contains the user's verified email/phone number and a signature. Include this to your signup/login request to your backend
A code_verifier
is a cryptographically-random key that will be sent to Cotter along with the authorization_code
on Step 3. Read more about what are code challenge and verifier.
A code_challenge
is the hashed version of your code_verifier
. We will send this hash on step 2 when you're requesting an authentication from Cotter.
The code_challenge
is sent first so that later in step 3, Cotter's server can verify that hash(code_verifier)
is the same as code_challenge
and that you are indeed made the original request.
To check if your code_challenge
and code_verifier
are correctly generated and formatted, try comparing it with codes generated here https://example-app.com/pkce
Open Cotter's Auth URL from a WebView from your app.
Query Parameter
Type
Description
api_key
string
Your API_KEY_ID
redirect_url
string
Your app's URL scheme where Cotter Auth will redirect back your users to your app
Example: com.example.app:redirect_uri_path
or http://127.0.0.1:port
type
string
EMAIL
or PHONE
code_challenge
string
state
string
Make sure the scheme of your redirect_url
(the front part before ://
) doesn't have an underscore or other special characters. To test it out, enter your redirect_url
here: https://jsfiddle.net/omd02jn5/
Here's an example on opening the in-app Browser from iOS and Android
Android: Use the Trusted Web Activity
iOS: Use the ASWebAuthenticationSession
After the user's email or phone is verified, Cotter will redirect back to your app using redirect_url
that you specified in step 2.
You should check that the state
is the same as the initial state you passed in to the URL here.
In this step, you'll use your code_verifier
, authorization_code
and the challenge_id
to request tokens
and the user's email or phone number from Cotter's server.
Your authorization_token
is valid for 5 minutes, and can only be used once.
POST
https://www.cotter.app/api/v0/verify/get_identity
Request for tokens and user's email or phone number verification state (successfully verified or not).
oauth_token
boolean
If true
, will return OAuth Tokens (read "Handling Authentication with Cotter")
API_KEY_ID
string
Your API_KEY_ID
Content-Type
string
application/json
code_verifier
string
Your code_verifier
created in Step 1
authorization_code
string
The authorization_code
received in Step 2
challenge_id
integer
The challenge_id
received in Step 2
redirect_url
string
This MUST match the redirect_url
you specified in Step 2
Now that the email or phone number is verified, you can continue your Sign Up or Login process by submitting the email or phone number to your server, either now or after the user enters more information.
You should include this oauth_tokens
into your call to your backend for Login or Registration. Your backend should then verify that the access token is valid.
Check out how to verify the OAuth Tokens from Cotter here:
Since you'll be using your API Key from a front-end website or mobile app, your API_KEY_ID
is exposed to anyone inspecting your code. Here are some ways to prevent abuse:
Your app generates state=XYZ
in the beginning of the auth flow. You should expect that Cotter's response on Step 2 when Cotter redirect back to your redirect_url
, the state is the same (state == XYZ
). This makes sure that the redirect was in response to your initial authentication request.
This is needed for installed apps / SPA because they cannot store the Api Secret Key securely, so the code_challenge
and code_verifier
is for Cotter to make sure that the original App that requested authentication on Step 2 is the same as the one that asked for access token on Step 3.
The code_challenge
you created in
A random string that you generate from your application before opening to Cotter's Auth (ex. abcXYZ456
). This is not the same as your code_verifier
. You need to check if the state
included by Cotter in the redirect_url
is the same as the initial state
that you set to make sure the request is for you. Learn more about .