Skip to main content
Sandbox
  • Identity
Available in
  • Germany,
  • Netherlands,
  • UK

Number Verification 2.0 (CAMARA)

2.1.0-rc.1

Number Verification 2.0 is Vodafone’s next-generation authentication mechanism, designed to deliver a seamless, secure, and low-friction user experience.

It leverages operating system-level integration with the operator’s entitlement server and token-based API authentication to verify a user's mobile number, without requiring manual input or SMS delivery.

This API follows the CAMARA standard specification.

Try it out

JWT Bearer Flow

To verify a mobile number using Number Verification 2.0, the implementing service must generate a JWT assertion that includes a TS.43-compliant temporary token. This JWT is used in a bearer token request to Vodafone’s authentication server.

Flow Summary

  1. The mobile device obtains a TS.43 token via SIM-based authentication. 
  2. The app sends this token to its backend. 
  3. The backend constructs an encoded and signed JWT with the TS.43 temporary token in the sub claim. 
  4. The JWT is sent as part of a bearer token request to Vodafone. 
  5. Vodafone validates the JWT and issues an operator access token. 
  6. The access token is used to call the /number-verification/v2 endpoint to retrieve or verify the mobile number.

For more details on the use of JWT Bearer as a means of requesting an OAuth access token, see RFC 7523 JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants.

JWT Header Structure

The following claims should be present in the JWT header:

Claim Description
kid The key ID is a hint indicating which key was used to secure the JWS.
typ The media type of this complete JWT.
alg The algorithm used to sign the JWT.

Example JWT Header

{
  "kid": "dmp-prod-kid",
  "typ": "JWT",
  "alg": "RS256"
}

JWT Payload Structure

The JWT must be signed and include the following claims:

Claim Description
sub Subject – must contain the TS.43 token.
aud Audience – the Vodafone API endpoint you are calling.
scope Scope value for the API end-point being called.
iss Issuer – identifies the entity issuing the JWT (e.g., your backend service).
iat Issued At – UNIX timestamp when the token was issued.
jti JWT ID – unique identifier for the token.

  

Example JWT Payload

{
  "sub": "sandbox_operator_token",
  "aud": "https://api-sandbox.vf-dmp.engineering.vodafone.com/oauth2/v2/token",
  "scope": "dpv:FraudPreventionAndDetection number-verification:device-phone-number:read",
  "iss": "JFmbgGigniCOKRPblruIvlMvIrBWSBj2807w20T62ROS5nmy",
  "iat": 1755525182,
  "jti": "2a1991e4-eb3a-4eb5-9913-52e97b0c8907"
}

Create JSON Request

Place the encoded and signed JWT into the assertion field within the JSON request body defined in the Number-Verification 2.0 API specification.

Example JSON request body:

{
  "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
  "assertion": "eyJraWQiOiJkbXAtcHJvZC1raWQiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJzYW5kYm94X29wZXJhd.."
}

Vodafone Developer Portal

Discover, try, and purchase our APIs to start building your own apps