Developer Docs
Table of contents
2FA API
BSG 2FA API is a RESTful API for two-factor user authentication on a website or web application: you can use it to confirm a transaction, and user contact information, as a second factor in user authentication, and more.
BSG 2FA API provides a choice of channel for sending a one-time password (OTP) to a user: SMS or Viber. Connect the channel you need in your personal account on the “Settings” page of the “2FA” section and start working with the BSG 2FA API.
Please note: 2FA API is not available for use in DEMO and TEST account modes (modes in which your account data is not verified).
Make sure that you have entered all the necessary data in your account settings in order to use the 2FA service.
Available HTTP Methods
- Send a one-time password;
- Resend the one-time code;
- Check the one-time Code;
- Cancel the authentication session;
- Check authentication status;
- Get a list of authentication sessions.
Send One-time password
This API call is used to generate and send a one-time password to a user in an SMS or Viber message. Please note: authentication of recipients who are in the SMS or Viber stop list in your contact book is not possible using the corresponding method. (That is, if the recipient is in the SMS stop list, then when requesting authentication using the SMS method, the one-time password will not be sent, and you will receive an error in response).
To send One-time password make a request to this URL:
| POST https://one-api.bsg.world/api/2fa/authentications/otp |
Request parameters
| Parameter | Requires | Type | Default | Description |
| channel | Yes | string | No | A channel for sending a one-time password. Possible values: “SMS”, “Viber”. |
| sender | Yes | string | No | Sender’s name:from 3 to 11 characters for the sender’s alphanumeric name (Latin letters, symbols, numbers, spaces);3 to 15 characters for the sender’s numeric name. |
| recipient | Yes | integer | No | The phone number of the recipient of the one-time password. 9 to 15 digits without the + sign. 3 to 15 characters for the sender’s numeric name. |
| message_text | Yes | string | No | Message text. Must necessarily include a variable for the password in the form — {code}. When a message is sent, the variable is replaced with a one-time password.The maximum length of the message text, including the number of characters for the password:For SMS: up to 70 characters for Cyrillic, up to 160 characters for Latin;For Viber: up to 1000 characters. |
| code_digits | Yes | integer | No | The length of the numeric code, from 3 to 9 digits. |
| code_lifetime | Yes | integer | No | The password expiration time after which the password becomes invalid. An integer from 30 seconds to 300 seconds. |
| code_max_tries | Yes | integer | No | The number of password verification attempts.An integer from 1 to 5. |
| sender_alt | No | string | No | Used only for the Viber channel to alternatively send a one-time code in SMS (if it was not possible to send the code in a Viber message, for example, if the recipient is not a Viber user).The name or number of the SMS sender. String up to 15 characters:from 3 to 11 characters for the sender’s alphanumeric name (Latin letters, symbols, numbers, spaces);3 to 15 characters for the sender’s numeric name. |
| message_alt_text | No | string | No | The text of the SMS message. Must necessarily include a variable for the password in the form — {code}. The variable will be replaced with a one-time password when the message is sent.Maximum message length, including the number of characters for the code:for Cyrillic – 70 characters;for Latin – 160.This parameter is set only if Viber is selected as the channel for sending the code.Used to alternatively send a one-time password in an SMS message (if it was not possible to send the password in a Viber message, for example, if the recipient is not a Viber user). |
Request example
{
"recipient": "61401629754",
"channel": "string",
"sender": "SENDER",
"sender_alt": "SENDER_ALT",
"message_text": "Your verification code: {code}",
"message_alt_text": "Your alternative code: {code}",
"code_lifetime": 300,
"code_max_tries": 3,
"code_digits": 5
}Response parameters
| Parameter | Type | Description |
| id | string | The ID of the generated authentication. |
| recipient | string | Number of the recipient of the message with a one-time code. |
| status | string | Authentication status. Possible values: pending (authentication session successfully created and pending). |
| channel | string | Authentication channel selected for sending the one-time code |
| sender | string | Sender name. |
| sender_alt | string/null | SMS sender name. |
| message_text | string | Message text. |
| message_alt_text | string/null | The text for the SMS. |
| code_lifetime | integer | OTP expiration date. |
| code_max_tries | integer | The number of OTP check attempts. |
| code_digits | integer | The number of digits in the OTP. |
| price | float | Authentication cost. At the time of creating the authentication, 0 is indicated. |
| currency | string | The three-letter code of the currency in which the value is indicated. Corresponds to the user’s account currency. |
| country_code | string | The country code of the recipient of the one-time password according to the ISO 3166-1 alpha-2 standard. |
| expired_at | string | Date and time when the authentication expires in ISO 8601 format. |
| created_at | string | The date and time of the authentication session were created in ISO 8601 format. |
| finished_at | null | Date and time when the authentication session was closed. At the time of creating the authentication, the value “null” is indicated. |
Response example
Response in case of successful request:
{
"data": {
"id": "bf4381c8-9d4a-4705-bd28-f89a830b7f96",
"recipient": "380979965073",
"status": "pending",
"channel": "sms",
"sender": "SENDER",
"sender_alt": "SENDER_ALT",
"message_text": "Your verification code: {code}",
"message_alt_text": "Your alternative code: {code}",
"code_lifetime": 300,
"code_max_tries": 3,
"code_digits": 5,
"price": "0,02",
"currency": "USD",
"country_code": "UA",
"expired_at": "2023-01-04 18:37:06",
"created_at": "2023-01-04 17:37:06"
"finished_at": "2023-01-04 17:37:06"
}
}
Resend the one-time code
Used to resend the one-time password to the recipient: a new one-time password is generated and sent in the message, and the previous one becomes invalid. When resending, already saved data is used to generate the OTP from the request https://one-api.bsg.world/api/2fa/authentications/otp
This API call is available only if the current authentication is not completed before its expiration date (the authentication validity period is specified in each 2FA API response).
To resend the one-time code send request to this URL:
| POST https://one-api.bsg.world/api/2fa/authentications/otp/{id}/resend |
Request parameters
| Parameter | Requires | Type | Default | Description |
| id | Yes | string | No | Authentication ID received in response to https://one-api.bsg.world/api/2fa/authentications/otp The maximum length is 36 characters. |
Response parameters
| Parameter | Type | Description |
| id | string | The ID of the generated authentication. |
| recipient | string | Number of the recipient of the message with a one-time code. |
| status | string | Authentication status. Possible values: pending (authentication session successfully created and pending). |
| channel | string | Authentication channel selected for sending the one-time code |
| sender | string | Sender name. |
| sender_alt | string/null | SMS sender name. |
| message_text | string | Message text. |
| message_alt_text | string/null | The text for the SMS. |
| code_lifetime | integer | OTP expiration date. |
| code_max_tries | integer | The number of OTP check attempts. |
| code_digits | integer | The number of digits in the OTP. |
| price | float | Authentication cost. At the time of creating the authentication, 0 is indicated. |
| currency | string | The three-letter code of the currency in which the value is indicated. Corresponds to the user’s account currency. |
| country_code | string | The country code of the recipient of the one-time password according to the ISO 3166-1 alpha-2 standard. |
| expired_at | string | Date and time when the authentication expires in ISO 8601 format. |
| created_at | string | The date and time of the authentication session were created in ISO 8601 format. |
| finished_at | null | Date and time when the authentication session was closed. At the time of creating the authentication, the value “null” is indicated. |
Response example
Response in case of successful request:
{
"data": {
"id": "bf4381c8-9d4a-4705-bd28-f89a830b7f96",
"recipient": "380979965073",
"status": "pending",
"channel": "sms",
"sender": "SENDER",
"sender_alt": "SENDER_ALT",
"message_text": "Your verification code: {code}",
"message_alt_text": "Your alternative code: {code}",
"code_lifetime": 300,
"code_max_tries": 3,
"code_digits": 5,
"price": "0,02",
"currency": "USD",
"country_code": "UA",
"expired_at": "2023-01-04 18:37:06",
"created_at": "2023-01-04 17:37:06"
"finished_at": "2023-01-04 17:37:06"
}
}
Check one-time Code
The API call is used to verify that the one-time password you received from the user matches the one sent by BSG.
To Check one-time Code send request to this URL:
| POST https://one-api.bsg.world/api/2fa/authentications/otp/{id}/verify |
Request parameters
| Parameter | Requires | Type | Default | Description |
| id | Yes | string | No | Authentication ID received in response to https://one-api.bsg.world/api/2fa/authentications/otp The maximum length is 36 characters. |
| access_code | Yes | integer | No | The one-time password received by the user through the specified channel or alternative channel (optional) in the generation request that needs to be validated.An integer from 3 to 9 digits. |
Response parameters
An example of a response if the code is incorrect:
{
"errors": [
{
"message": "The code does not match the expected value"
}
]
}If the one-time code is correct:
| Parameter | Type | Description |
| id | string | The ID of the generated authentication. |
| recipient | string | Number of the recipient of the message with a one-time password. |
| status | string | Authentication status. Possible values: verified (the code was successfully verified, and the session was closed with a successful result). |
| channel | string | Channel for authentication. |
| sender | string | Sender name. |
| sender_alt | string | SMS sender name. |
| message_text | string | Message text. |
| message_alt_text | string | The text for the SMS. |
| code_lifetime | integer | OTP expiration date. |
| code_max_tries | integer | The number of OTP check attempts. |
| code_digits | integer | The number of digits in the OTP. |
| price | float | Authentication cost (excluding the cost of sent messages). |
| currency | string | The three-letter code of the currency in which the value is indicated. Corresponds to the user’s account currency. |
| country_code | string | Receiver’s country code according to ISO 3166-1 alpha-2. |
| expired_at | string | Date and time when the authentication session expires in ISO 8601 format. |
| created_at | string | The date and time of the authentication session were created in ISO 8601 format. |
| finished_at | string | Date and time when the authentication session was closed in ISO 8601 format. |
Response example
{
"data": {
"id": "bf4381c8-9d4a-4705-bd28-f89a830b7f96",
"recipient": "380979965073",
"status": "pending",
"channel": "sms",
"sender": "SENDER",
"sender_alt": "SENDER_ALT",
"message_text": "Your verification code: {code}",
"message_alt_text": "Your alternative code: {code}",
"code_lifetime": 300,
"code_max_tries": 3,
"code_digits": 5,
"price": "0,02",
"currency": "USD",
"country_code": "UA",
"expired_at": "2023-01-04 18:37:06",
"created_at": "2023-01-04 17:37:06"
"finished_at": "2023-01-04 17:37:06"
}
}
Cancel the authentication session
Used to cancel the authentication process. In this case, authentication must be in the Pending status.
To cancel the authentication session send request to this URL:
| POST https://one-api.bsg.world/api/2fa/authentications/{id}/cancel |
Request parameters
| Parameters | Requires | Type | Default | Description |
| id | Yes | string | No | Authentication ID received in response to https://one-api.bsg.world/api/2fa/authentications/otp The maximum length is 36 characters. |
Response parameters
| Parameter | Type | Description |
| id | string | The ID of the generated authentication. |
| recipient | string | Number of the recipient of the message with the OTP code. |
| status | string | Authentication status. Possible values: canceled. |
| channel | string | Channel for authentication. |
| sender | string | Sender’s name. |
| sender_alt | string | Alternate SMS sender name |
| message_text | string | Message text. |
| message_alt_text | string | Alternative text for SMS message |
| code_lifetime | integer | OTP expiration date. |
| code_max_tries | integer | The number of OTP check attempts. |
| code_digits | integer | The number of digits in the OTP. |
| price | float | Authentication session cost. If authentication is canceled, the cost will be 0. |
| currency | string | The three-letter code of the currency in which the cost is indicated. |
| country_code | string | Receiver’s country code according to ISO 3166-1 alpha-2. |
| expired_at | string | Date and time when the authentication session expires in ISO 8601 format. |
| created_at | string | The date and time of the authentication session was created in ISO 8601 format. |
| finished_at | string | Date and time when the authentication session was closed in ISO 8601 format. |
Response example
Response in case of successful request:
{
"data": {
"id": "bf4381c8-9d4a-4705-bd28-f89a830b7f96",
"recipient": "380979965073",
"status": "canceled",
"channel": "sms",
"sender": "SENDER",
"sender_alt": "SENDER_ALT",
"message_text": "Your verification code: {code}",
"message_alt_text": "Your alternative code: {code}",
"code_lifetime": 300,
"code_max_tries": 3,
"code_digits": 5,
"price": "0,02",
"currency": "USD",
"country_code": "UA",
"expired_at": "2023-01-04 18:37:06",
"created_at": "2023-01-04 17:37:06"
"finished_at": "2023-01-04 17:37:06"
}
}
Check authentication status
Use to get information about the current authentication status by specifying its identifier.
To check authentication status send request to this URL:
| GET https://one-api.bsg.world/api/2fa/authentications/{id} |
Request parameters
| Parameter | Requires | Type | Default | Description |
| id | Yes | string | No | Authentication ID received in response to https://one-api.bsg.world/api/2fa/authentications/otp. The maximum length is 36 characters. |
Response parameters
| Parameter | Type | Description |
| id | string | Authentication ID created at the request of the user. |
| recipient | string | OTP message recipient number (specified by the user in the authentication request) |
| status | string | Authentication status. Possible values:pending – authentication has been created and is in the pending state;verified – authentication successful (code successfully verified);expired – authentication has expired;failed – authentication failed;canceled – authentication has been canceled. |
| channel | string | Authentication channel. Possible values: SMS, Viber. |
| sender | string | The name of the sender (specified by the user in the authentication request). |
| sender_alt | string | Alternative sender name for sending SMS (specified by the user in the authentication request). |
| message_text | string | Message text (specified by the user in the authentication request). |
| message_alt_text | string | Alternate text for the message (specified by the user in the authentication request). |
| code_lifetime | integer | OTP expiration date (specified by the user in the authentication request). |
| code_max_tries | integer | Number of OTP verification attempts (specified by the user in the authentication request). |
| code_digits | integer | The number of digits in the OTP (specified by the user in the authentication request). |
| price | string | Authentication cost (excluding the cost of sent messages). The amount must be displayed with 7 decimal places. |
| currency | string | The three-letter code of the currency in which the value is indicated. |
| country_code | string | Receiver’s country code according to ISO 3166-1 alpha-2. |
| expired_at | string | The expiration date of the authentication session. |
| created_at | string | The date and time of the authentication were created in ISO 8601 format. |
| finished_at | string | Date and time when authentication was closed in ISO 8601 format. |
| messages | array | Array of message objects: |
| messages[]id | string | The unique ID of the message. |
| messages[]recipient | string | The recipient’s phone number. |
| messages[]status | string | Message status. Possible values:delivered – the message was sent;accepted – message accepted for sending;undelivered – the message was not delivered. |
| messages[]channel | string | The channel for sending the message. Possible values: SMS or Viber. |
| messages[]sender | string | The name of the sender of the message. |
| messages[]text | string | Message text. |
| messages[]price | float | Message cost. |
| messages[]currency | string | The three-letter code of the currency in which the value is indicated. |
| messages[]sent_at | string | The date and time of the message were sent in ISO 8601 format. |
| messages[]created_at | string | The date and time the message was created in ISO 8601 format. |
Response example
Response in case of successful request:
{
"data": {
"id": "ea5db413-e368-4952-b745-cc2030210c49",
"recipient": "380501403813",
"status": "verified",
"channel": "sms",
"sender": "testsms",
"sender_alt": "string",
"message_text": "Your BSG 2FA confirmation code is {code}. Do not share this with anyone else.",
"message_alt_text": "string",
"code_lifetime": 30,
"code_max_tries": 5,
"code_digits": 6,
"price": 50.25,
"currency": "EUR",
"country_code": "FR",
"expired_at": "2022-04-28 14:21:16",
"created_at": "2022-04-28 14:21:16",
"updated_at": "2022-04-28 14:21:16",
"finished_at": "2022-04-28 14:21:16",
"messages": [
{
"id": "1ed32701-5d4f-6cfa-ba06-9db3aa8bab68",
"recipient": "61401629754",
"status": "accepted",
"channel": "sms",
"sender": "SENDER",
"text": "Your verification code: {code}",
"price": 0.0642918,
"currency": "EUR",
"sent_at": "2022-04-18 11:00:30",
"created_at": "2022-04-18 10:55:35"
}
]
}
}
Get a list of authentication sessions
Use to get a list of authentications for a period.
To get a list of authentication sessions make a request to this URL:
| GET https://one-api.bsg.world/api/2fa/authentications |
Request parameters
| Parameter | Requires | Type | Default | Description |
| page[offset] | No | integer | 0 | Get auths starting at offset. |
| page[limit] | No | integer | 10 | The number of authentications in the response. Possible values are from 10 to 500. |
| filter[from] | Yes | string | Period start date (date and time when the authentication session was created) in ISO 8601 format. | |
| filter[to] | Yes | string | End date of the period (date and time when the authentication was created) in ISO 8601 format. | |
| filter[ids] | No | string | Authentication ID. The maximum number is 3. | |
| filter[status] | No | string | Possible values: “pending”, “verified”, “expired”, “failed”, “canceled”. | |
| filter[channel] | No | string | Possible values: “SMS”, “Viber”. | |
| filter[recipient] | No | string | The phone number to which you want to send the OTP code. 9 to 15 digits. | |
| filter[country_code] | No | string | Beneficiary country code according to ISO 3166-1 alpha-2 | |
| way | No | string | asc | Sort options: asc, desc |
| sort | No | string | created_at | Sort by: id, status, channel, recipient, created_at, finished_at, country_code. |
Response parameters
| Parameter | Type | Description |
| list | array | An array of authentication objects. |
| list[]id | string | The ID of the generated authentication. |
| list[]recipient | string | Number of the recipient of the message with the OTP code. |
| list[]status | string | Authentication status. Possible values:pending – authentication has been created and is in the pending state;verified – authentication successful (one-time password successfully verified);expired – authentication has expired;failed – authentication failed;canceled – authentication has been canceled. |
| list[]channel | string | Channel for authentication. |
| list[]sender | string | Sender’s name. |
| list[]sender_alt | string | Alternative sender name for SMS. |
| list[]message_text | string | Message text. |
| list[]message_alt_text | string | Alternative text for the SMS message. |
| list[]code_lifetime | integer | The expiration date of the one-time password. |
| list[]code_max_tries | integer | The number of attempts to verify the one-time password. |
| list[]code_digits | integer | The number of digits in the one-time password. |
| list[]price | float | Authentication session cost. |
| list[]currency | string | The three-letter code of the currency in which the authentication cost is indicated. |
| list[]country_code | string | Receiver’s country code according to ISO 3166-1 alpha-2. |
| list[]expired_at | string | The expiration date of the authentication in ISO 8601 format. |
| list[]created_at | string | The date and time of the authentication was created in ISO 8601 format. |
| list[]finished_at | string | Date and time when authentication was closed in ISO 8601 format. |
| list[]messages | array | Array of message objects: |
| list[]messages[]id | string | The unique ID of the message. |
| list[]messages[]recipient | string | The recipient’s phone number. |
| list[]messages[]status | string | Message status. Possible values:delivered – the message was sent;accepted – message accepted for sending;undelivered – the message was not delivered. |
| list[]messages[]sender | string | The name of the sender of the message. |
| list[]messages[]text | string | Message text. |
| list[]messages[]price | float | Message cost. |
| list[]messages[]currency | string | Currency of the account in which the cost is indicated. Corresponds to the user’s account currency. |
| list[]messages[]sent_at | string | The date and time of the message was sent in ISO 8601 format. |
| list[]messages[]created_at | string | The date and time the message was created in ISO 8601 format. |
| total | integer | The total number of authentications. |
Response example
Response in case of successful request:
{
"data": {
"list": [
{
"id": "ea5db413-e368-4952-b745-cc2030210c49",
"recipient": "380501403813",
"status": "verified",
"channel": "sms",
"sender": "testsms",
"sender_alt": "string",
"message_text": "Your BSG 2FA confirmation code is {code}. Do not share this with anyone else.",
"message_alt_text": "string",
"code_lifetime": 30,
"code_max_tries": 5,
"code_digits": 6,
"price": 50.25,
"currency": "EUR",
"country_code": "FR",
"expired_at": "2022-04-28 14:21:16",
"created_at": "2022-04-28 14:21:16",
"updated_at": "2022-04-28 14:21:16",
"finished_at": "2022-04-28 14:21:16",
"messages": [
{
"id": "1ed32701-5d4f-6cfa-ba06-9db3aa8bab68",
"recipient": "61401629754",
"status": "accepted",
"channel": "sms",
"sender": "SENDER",
"text": "Your verification code: {code}",
"price": 0.0642918,
"currency": "EUR",
"sent_at": "2022-04-18 11:00:30",
"created_at": "2022-04-18 10:55:35"
}
]
},
"total": 100
}
}
2FA errors:
One API errors responses:
1.1. Access code expired
1.2. Access code not found
1.3. Authentication canceled status
1.4. Authentication expired
1.5. Authentication failed status
1.6. Authentication invalid status
1.7. Authentication limit with status pending
1.8. Total authentication limit
1.9. Authentication verifying attempts limit
1.10. Authentication not found
1.11. Authentication price not found
1.12. Insufficient funds
1.13. Recipient exists on the stop list
1.14. Authentication channel inactive
1.15. Authentication channel not found
{
"errors": [
{
"message": "ERROR_MESSAGE_1"
}
]
}2. OneAPI validation errors:
{
"message": "The given data was invalid.",
"errors": {
"<FIELD_1>": [
"<VALIDATION_ERROR_1>"
], ...
"<FIELD_N>": [
"<VALIDATION_ERROR_N>"
]
}
}3. OneAPI to 2FA integration errors:
3.1. Raw error 2FA Service response is empty.
3.2. Raw error 2FA Service response has an incorrect content.
3.3. Error 2FA Service response is empty.
3.4. Error 2FA Service response structure is incorrect.
3.5. 2FA Service getting error response error.
3.6. 2FA Service getting successful response error.
3.7. 2FA Service getting response error.
3.8. 2FA Service error.
3.9. 2FA Service getting error response error.
3.10. 2FA Service getting successful response error.
3.11. 2FA Service getting response error.
{
"message": "<ERROR_MESSAGE>",
"errors": [
...
]
}