Skip to content

Commit

Permalink
Update files/en-us/web/api/webotp_api/index.md
Browse files Browse the repository at this point in the history
Co-authored-by: Dipika Bhattacharya <[email protected]>
  • Loading branch information
chrisdavidmills and dipikabh authored Jul 20, 2023
1 parent dad508b commit a1cbafd
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion files/en-us/web/api/webotp_api/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ The process works like so:
1. At the point where phone number verification is required, an app client will ask a user to enter their phone number into a form, which is then submitted to the app server.
2. The app client then invokes {{domxref("CredentialsContainer.get", "navigator.credentials.get()")}} with an `otp` option specifying a `transport` type of `"sms"`. This triggers a request for an OTP from the underlying system, the source of which will be a [specially-formatted SMS message](#the_sms_message_format) (containing the OTP and the app's domain) received from the app server. The `get()` call is {{jsxref("Promise")}}-based and waits for the SMS message to be received.
3. The app server sends the SMS message to the specified phone number. This must be done just after Step 2 has occurred.
4. When the SMS is received on the device, provided it contains the app's domain the browser will ask the user if they consent to the OTP being retrieved/used. Chrome, for example, displays a dialog asking them for their permission to retrieve the OTP from the SMS; other browsers may handle it differently. If they do consent, the `get()` call will fulfill with an {{domxref("OTPCredential")}} object containing the OTP.
4. When the SMS is received on the device, provided it contains the app's domain, the browser will ask the user if they consent to the OTP being retrieved/used. Chrome, for example, displays a dialog asking them for their permission to retrieve the OTP from the SMS; other browsers may handle it differently. If they do consent, the `get()` call will fulfill with an {{domxref("OTPCredential")}} object containing the OTP.
5. You can then use the OTP in any way you wish. Typical usage would be to set it as the value of the validation form on the app client and then submit the form, making the process as seamless as possible.
6. The app server will then verify that the OTP sent back to it matches what it originally sent in the SMS and, if so, complete the process (for example, sign the user in).

Expand Down

0 comments on commit a1cbafd

Please sign in to comment.