Authentication
SMS Authentication
SMS authentication enables users to authenticate their Turnkey account using their phone number via a 6-9 digit or bech32 alphanumeric one-time password (OTP). When authenticated, users receive an expiring API key stored in memory within an iframe, which functions like a session key to access their wallet.
Access and Pricing
SMS authentication is available to all Enterprise customers. To enable this feature, please reach out to the Turnkey team. SMS pricing is usage-based and varies depending on the country of the destination phone number. A downloadable price list for all supported countries is available here as a CSV.Prerequisites
Make sure you have set up your primary Turnkey organization with at least one API user that can programmatically initiate OTP and create suborganizations. Check out our Quickstart guide if you need help getting started. To allow an API user to initiate email auth, you’ll need the following policy in your main organization:How It Works
SMS authentication uses three activities:INIT_OTP- sends a 6-9 digit or bech32 alphanumeric OTP code to the specified phone numberVERIFY_OTP- verifies the code and returns a verificationToken JWTOTP_LOGIN- verified the verificationToken and returns a session JWT
Implementation
Initiating SMS Authentication
The flow begins with a new activity of typeACTIVITY_TYPE_INIT_OTP using the parent organization id with these parameters:
otpType: specify"OTP_TYPE_SMS"contact: user’s phone numberemailCustomization: optional parameters for customizing emailsuserIdentifier: optional parameter for rate limiting SMS OTP requests per user. We recommend generating this server-side based on the user’s IP address or public key. See the OTP Rate Limits section below for more details.alphanumeric: optional parameter for making this code bech32 alphanumeric or not. default: trueotpLength: optional parameter for selecting the length of the OTP. default: 9expirationSeconds: optional validity window (defaults to 5 minutes)
ACTIVITY_TYPE_VERIFY_OTP using the parent organization id which returns a verificationToken JWT:
otpId: ID from the init activityotpCode: the 6-9 digit or alphanumeric code received via emailexpirationSeconds: optional validity window (defaults to 1 hour)
ACTIVITY_TYPE_OTP_LOGIN using the sub orgazanition ID associated with the contact from the first step:
publicKey: public key to add to organization data associated with the signing key in IndexedDB or SecureStorage.verificationToken: JWT returned from successfullVERIFY_OTPactivityexpirationSeconds: optional validity window (defaults to 15 minutes)invalidateExisting: optional boolean to invalidate previous login sessions
Authorization
SMS authentication requires proper permissions through policies or parent organization status.Enabling/Disabling SMS Auth
For Top-level Organizations
SMS authentication is disabled by default. Enable it usingACTIVITY_TYPE_SET_ORGANIZATION_FEATURE:
For Sub-organizations
- SMS auth is enabled by default
- Disable during creation using
disableSmsAuth: truein theCreateSubOrganizationIntentV7activity - Disable after creation using
ACTIVITY_TYPE_REMOVE_ORGANIZATION_FEATUREwith feature nameFEATURE_NAME_SMS_AUTH
Implementation Notes
- Users are limited to 10 long-lived API keys and 10 expiring API keys
- When the expiring API key limit is reached, the oldest key is automatically discarded
OTP Rate Limits
In order to safeguard users, Turnkey enforces rate limits for OTP auth activities. If auserIdentifier parameter is provided, the following limits are enforced:
- 3 requests per 3 minutes per unique
userIdentifier - 3 retries max per code, after which point that code will be locked
- 3 active codes per user, each with a 5 minute TTL