Authy One-Time Passwords (OTP)

Example JSON response

Send a One-time Password Via SMS

Default Behavior for Users with the Authy App Installed

If the user has the Authy App, by default, the API will not send the 2FA code via SMS or voice. Instead, a push notification will go to the device, prompting the user to start their app to get the code. The user's notification will look like this:

Authy push notification - app installed on attempt to send an SMS

If the user has the Authy app installed the API response will look like this:

{
    "message":"Ignored: SMS is not needed for smartphones. Pass force=true if you want to actually send it anyway.",
    "cellphone":"+1-XXX-XXX-XX02",
    "device":"android",
    "ignored":true,
    "success":true
}

Override Default Behavior and Force Sending SMS

You can override this behavior and force sending an SMS or Voice call. This is a useful override if a user is specifically selecting "Send SMS" or "Get code via voice call" in your application UI.

Example JSON response

Send a One-time Password Via SMS (Forced)

Custom Actions (Optional)

Optionally, you can limit a specific token to a single action, for example coupling a one-time password to a specific logon request or transaction. Most implementations will not need this feature.

You can pass action= and action_message= (optional) to send a code that is only valid for the given action. This is useful if you require codes to perform different actions on your app, for example, you can pass action=login&action_message="Login code" when sending a login code.

When using this option you must pass the same action when verifying the code.

Sending an SMS with custom actions will always send the SMS even if the user has the Authy app installed. Sending force=true is not necessary.
Codes generated through regular sms and the Authy app won't work when sending the custom actions parameters to the verify endpoint.
Custom actions is not supported for voice calls.

Example JSON response

Limit an OTP to a single action

Send a One-time Password Via SMS with a Custom Action

Limit an OTP to a single action

Send a One-Time Password via Voice

For users that don't own a smartphone or are having trouble with SMS Tokens, Authy allows you to use phone calls instead. Like SMS, by default this call will be ignored if the user is using the Authy Mobile app. You can override the default behavior with the force parameter.

GET https://api.authy.com/protected/{FORMAT}/call/{AUTHY_ID}

URL

Name	Description
`FORMAT` String	The format to expect back from the REST API call. `json` or `xml`.
`AUTHY_ID` Integer	The Authy ID of the user to send an SMS TOTP. Create an Authy ID by registering a user. Note that password delivery may be upgraded to use the Authy application; see response parameters below.

Parameters

Name	Description
`force` Boolean (optional)	Default is `false`. Set to `true` to send one-time passwords over the Voice channel even if the user has an Authy or SDK enabled app installed. Configure default behavior in the console. (🏢 not PII )
`action` String (optional)	The action or context we are trying to validate. (🏢 not PII )
`action_message` String (optional)	Message for the specific action. (🏢 not PII )
`locale` String (optional)	The language of the message received by user. If no locale is given, Twilio will try to autodetect it based on the country code. English is used if no locale is autodetected. More details above. (🏢 not PII )

Response

Name	Description
`success` Boolean	Returns true if the request was successful. (🏢 not PII )
`message` String	A message indicating what happened with the request. (🏢 not PII )
`cellphone` String	The country code and last two digits of phone number used to send the message, with the rest obfuscated. (🏢 not PII )
`ignored` Boolean	`True` if we detected an Authy or an SDK enabled app installed and we upgraded the OTP delivery channel from 'Voice' to Push Notification. Authy or SDK users are redirected directly to the requested token. (🏢 not PII )
`device` String	The type of the last device used by the user. This is only returned when we upgraded delivery from a voice call. (🏢 not PII )

Example JSON response

Send a One-time Password Via Voice Call

Default Behavior for Users with the Authy App Installed

If the user has the Authy App, by default, the API will not call the user. See above for more details. The API response will look like this:

{
  "message": "Call ignored. User is using  App Tokens and this call is not necessary. Pass force=true if you still want to call users that are using the App.",
  "cellphone": "+1-XXX-XXX-XX02",
  "device": "android",
  "ignored": true,
  "success": true
}

Like SMS, you can pass force=true as a parameter to this API. This will force the phone call to start even if the user is using the Authy app.

Verify a One-Time Password

To verify a one-time password pass in the user provided token and the user authy_id. Twilio will use HTTP status codes for the response.

GET https://api.authy.com/protected/{FORMAT}/verify/{TOKEN}/{AUTHY_ID}

URL

Name	Description
`FORMAT` String	The format to expect back from the REST API call. `json`, or `xml`.
`TOKEN` Integer	The token you are verifying.
`AUTHY_ID` String	The Authy ID of the user validating the TOTP. Create an Authy ID by registering a user.

Responses

Name	Description
`200`	Valid token (see note below)*
`401`	Invalid token. If you wish to verify the token anyway, pass `force=true`. See the force verification section below for an example.

*Note: Until you successfully verify a token for a new user, this call will return 200.

Response

Name	Description
`token` String	Either "is valid" or "is invalid" (🏢 not PII )
`success` String	"true" if the code was valid. Please note this field is a String and not a Boolean. (🏢 not PII )
`device` Object	An object including some details about the device used to get or generate the token. The fields included in the `device` object are: city, region, country, ip, registration_city, registration_region, registration_country, registration_ip, registration_date, os_type, last_account_recovery_at and id. (📇 PII )

When the TOTP token is generated in the Authy app or in the SDK, additional device information and registration data are provided in the response.

Example JSON response

Verify a Token

The same API is used to verify tokens from TOTP, sms, and voice channels. However when the OTP token is delivered via SMS or voice call, no additional device details are provided and the response will look like:

{
  "message": "Token is valid.",
  "token": "is valid",
  "success": "true",
  "device": {
    "id": null,
    "os_type": "sms",
    "registration_date": 1490996931,
    "registration_method": null,
    "registration_country": null,
    "registration_region": null,
    "registration_city": null,
    "country": null,
    "region": null,
    "city": null,
    "ip": null,
    "last_account_recovery_at": null,
    "last_sync_date": null
  }
}

Force One-Time Password Validation for Unregistered User

Use force=true to force verification of a one-time password from a new user.

curl -i "http://api.authy.com/protected/json/verify/{TOKEN}/{AUTHY_ID}" \
  -H "X-Authy-API-Key: d57d919d11e6b221c9bf6f7c882028f9"

Response if `force=false` or Not Set

{
  "token":"Not checked. User has not yet finished the registration process. Pass force=true to this API to check regardless (more secure)."
}

Response if `force=true`

{
  "errors": {
    "token":"is invalid"
  }
}

Verify Tokens when using Authy Custom Actions

When using custom actions to send SMS you have to pass action= to validate the one-time password.
For more information see Custom Actions.

{
  "token": "is valid"
}

Invalid Tokens

A verification attempt with an invalid token will return a 401 Unauthorized with the following Response body:

{
  "message": "Token is invalid",
  "token": "is invalid",
  "success": false,
  "errors": {
    "message": "Token is invalid"
  },
  "error_code": "60020"
}

Authenticator App Generated Time-based One-Time Passwords

Example JSON response