Phone API
Account API endpoints for phone number verification and management
Manage phone numbers on user identities via the Account API. Phone verification is a prerequisite for SMS MFA enrolment.
Authentication
| API | Token | Base URL |
|---|---|---|
| Account API | User access token (Authorization: Bearer eyJ...) | https://TENANT.api.wocha.ai/v1/account |
All endpoints require a valid user OAuth access token. Management API keys cannot call Account API routes.
Phone verification flow
Phone verification is a two-step process: initiate (POST), then verify (PUT).
Start phone verification
Send an OTP to the provided phone number.
Response 201 Created:
| Field | Description |
|---|---|
status | Always pending after a successful OTP send |
phone_number_masked | Masked display format for the UI |
The pending verification expires after 15 minutes. A new POST replaces any existing
pending verification.
Errors:
| Status | Code | When |
|---|---|---|
422 | validation_error | Invalid E.164 phone number |
429 | rate_limited | Per-phone or per-tenant rate limit exceeded |
503 | service_unavailable | SMS not enabled or gateway not configured |
404 | not_found | User identity not found |
502 | upstream_error | OTP send failed at the provider |
Verify phone number
Submit the 6-digit OTP code to verify the phone and update the identity trait.
Response 200 OK:
On success, the phone_number trait is set on the Kratos identity and the pending
verification is cleared.
Errors:
| Status | Code | When |
|---|---|---|
422 | validation_error | Invalid code, expired verification, or max attempts exceeded |
404 | not_found | No pending phone verification — call POST first |
400 | validation_error | Request body is not valid JSON |
503 | service_unavailable | SMS gateway not configured |
Remove phone number
Response 200 OK:
Errors:
| Status | Code | When |
|---|---|---|
409 | conflict | SMS MFA is still enrolled — remove SMS MFA first |
404 | not_found | No phone number registered |
Code examples
cURL
JavaScript
React SDK
E.164 requirements
Phone numbers must match the pattern ^\+[1-9][0-9]{6,14}$:
- Start with
+followed by country code - No spaces, dashes, or parentheses
- 7–15 digits total (including country code)
Valid: +447911123456, +15551234567
Invalid: 07911123456, +44 7911 123456, 447911123456
Related
- SMS MFA API — enrol SMS as an MFA factor
- SMS setup guide — configure providers in the Console
- MFA API — TOTP and MFA status endpoints