Integrate SMS OTP with Existing Auth flow
You can use Streambird Auth to complement your existing authentication as a 2-factor authentication method.
This example assumes that you are using the Streambird Auth API in your backend using your Streambird ApiKey that has access to your entire App on Streambird.
1 - Implement OTP UI
Implement 2 UI screens to enable OTP
- Screen to enter phone number
- Screen to submit OTP
2 - Create or Update an existing user
Each user must be stored on Streambird Auth, so we recommend ensuring that you store our auto generated User ID from the response into your database/backend in a column or field against that user (as long as you can associate your user with the auto generated ID returned by Streambird).
We will ensure that each mobile number or email is ONLY attached to a single user at any time. If this is an existing user, we will be using the CreateUser endpoint to create a user, otherwise, you should use the UpdateUser endpoint to attach the phone number to the user by sending in the user’s Streambird user ID.
Create user
curl --location --request POST 'https://api.streambird.io/v1/auth/users/create' \
--header 'Authorization: Bearer sk_test_KJuRUZmh1XC342h1n39gH84MuSZDyD13NfhtDkaY6IfwpQA0H' \
--header 'Content-Type: application/json' \
--data-raw '{
"phone_number": "+14152222222"
}'
Update user
curl --location --request POST 'https://api.streambird.io/v1/auth/users/user_24wFP9pDa9YiMJLun94iKykoZs2/update' \
--header 'Authorization: Bearer sk_test_KJuRUZmh1XC342h1n39gH84MuSZDyD13NfhtDkaY6IfwpQA0H' \
--header 'Content-Type: application/json' \
--data-raw '{
"phone_numbers": [
"phone_number": "+14152222222"
]
}'
3 - Send OTP by SMS
Once we have a user associated with the phone number. We can initiate a SMS OTP request to the phone number using CreateSmsOTP endpoint.
curl --location --request POST 'https://api.streambird.io/v1/auth/otps/sms/send' \
--header 'Authorization: Bearer sk_test_KJuRUZmh1XC342h1n39gH84MuSZDyD13NfhtDkaY6IfwpQA0H' \
--header 'Content-Type: application/json' \
--data-raw '{
"phone_number": "+14152222222"
}'
4 - Verify OTP (One-time passcode)
In the previous step, Streambird Auth will return a response like the following,
{
"phone_number_id": "pn_24oXBLRv6BoHXbNZoTAZkAFlRsy",
"user_active": true,
"user_id": "user_24wFP9pDa9YiMJLun94iKykoZs2"
}
The phone_number_id will be used as the method_id in the VerifyOTP endpoint.
curl --location --request POST 'https://api.streambird.io/v1/auth/otps/verify' \
--header 'Authorization: Bearer sk_test_KJuRUZmh1XC342h1n39gH84MuSZDyD13NfhtDkaY6IfwpQA0H' \
--header 'Content-Type: application/json' \
--data-raw '{
"method_id": "pn_24oXBLRv6BoHXbNZoTAZkAFlRsy",
"otp": "982303"
}'
If you send in session_token or session_expires_in parameters, a new session will then be created or extended for the given user and the session token returned.
{
"method_id": "pn_24oXBLRv6BoHXbNZoTAZkAFlRsy",
"method_type": "phone_number",
"session_token": "Fe8byh3HfbdopzNBu36hSMBDYDZGJAegwE9PvA3R0Ynqw1GBMpnABxuOveA0sAhU",
"user_id": "user_24wFP9pDa9YiMJLun94iKykoZs2"
}
You can then return your existing access token or session cookie to your user like you currently do in your application.
In the case where the user typed in invalid OTP, we will return
{
"status_code": 400,
"error_message": "Invalid OTP Code.",
"error_type": "invalid_otp"
}
You can return or display this error to your user via your API or application.
Voila! You have now integrated 2-factor Authentication (2FA/MFA) and Signup into your application without building and maintaining additional infrastructures. Let us take care of Authentication and you can focus on your core product.
This session_token returned can also be used and stored with the user browser-side via cookie/localStorage if you want to use our Sessions API provided by Streambird to manage sessions lifecyle for your User.