Frequently Asked Questions about multichannel messaging and mobile identity
API stands for Application Programming Interface. In basic terms it is something that allows applications to talk to each other through one interface. This I done using applications like Mobile Connect. In this case the API is called through the internet connection and can then be used for any other application. This could be a mobile phone that is connected to the internet or a website.
Put simply, Representational State Transfer (REST) is a way that different computers or systems talk to each other on the internet. REST API uses this architecture to deliver good performance and rapid communication between systems.
If your application is internet-enabled you can use Mobile connect. To use it you must have an internet browser and that is connected to Mobile Connect. This is known as the Identity Gateway and is where the user logs in with their individual network operator.
If you are a developer we recommend that you go on to your developer portal and access the SDK. If you are developing an application but do not have an SDK then we recommend that you use Mobile Connect’s REST API. In your developer portal there are guides showing how to use APIs, how they work and their applications, and an API reference is supplied. For more information on how to use the APIs check Mobile Connect’s test applications.
First of all the user much use Mobile Connect to allow your application access, at which point the network operator will provide a PCR (pseudo-anonymous customer reference), this is unique to the user and maintains the privacy of their personal data. This PCR comes via the operators Identity Gateway and will remain constant for the user on your application.
The user’s MSISDN will be used enabling the user to be recognized by your system as either a new or returning user.
If the user already has an account this can be paired to your application using the PCR, so that the user can easily log in next time they access the app.
Once the Mobile Connect user enables access to your application a PCR is provided. This Pseudo Anonymous Customer Reference maintains the user’s privacy and provides a unique identifier. The PCR or MSISDN is always the same for the application enabling easy login for new and returning customers.
If you receive a new PCR then this will be a new user and you can, within your application, then create all of the user settings as required.
To obtain an API key you simply need to create your account on the developer portal. Once you have created at least one application, the applications will all receive their own API key. As soon as you are ready and you are going to go live contact the mobile operator who have users you wish to access.
At the present time the mobile connect authentication service is quite simple, although this may become more sophisticated over time.
Once they have completed their authentication process the operator will provide a Pseudo-anonymous Customer Reference (PCR). This will provide a unique identifier without revealing the user’s personal data.
Some operators have already begun to offer extra services and they should be contacted directly for information about the additional functionality they are providing.
Although the service may be used on any device that is connected to the internet, the user must have a device with a SIM in order for authentication to be possible. The Mobile Connect account is directly linked to the SIM card which is provided and managed by the network operator.
API Credentials are essential because they allow the user to see what or who is initiating the request to Mobile Connect. The credentials are unique to your applications and they also allow the operator to see where the request is originating from The operator’s identity gateway will then use the API to give the relevant authentication for your request, apply any operator policies relating to access and also guard against potentially fraudulent access.
For security reasons it is best that any API request comes from the server side. This is the case for either iOS or Android applications. Using things like iCloud keychain, and code obfuscation should be utilized in order to obscure any API calls you may make at the client’s location.
That said, sometimes an API call must be placed from within the client’s environment. An example of this is the Discovery API request or making a call as part of the API authorization process with Mobile Connect. However, the secret part of the process should be done via the service.
You should also ensure that any of your code, either client or server side that will be making API calls uses SSL certificate checks. This is help prevent outside attacks if the WiFi network is note secure.
GDPR (General Data Protection Regulation) must be considered if the service provider (you) use Mobile Connect for an end user who is either a citizen of the EEA (EU) or who has subscribed to an EEA based network operator. MSISDN is considered personal data and so therefore it must not be transferred outside of the EEA. This can happen in practice simply because there are so many data centers globally and these provide the Discovery Service. Of course some of these are located in regions outside the EEA in order to serve users in those areas. To invoke Discover you need to use the eu.discovery.messaggio.com URL which will ensure that all data is sent to and processed at a center within the EU.
The European Economic Area (EEA) consists of all the EU member states along with Iceland, Lichtenstein and Norway.
Mobile Connect was designed for use by commercial services but you need to be aware that mobile operators often have policies regarding what services they will allow to be used with Mobile Connect. You will need to check with each mobile operator and consult their terms & conditions to establish what their particular rules are. You may find it useful to contact the operator direct to discuss your application.
As a general rule Mobile Connect use will not be permitted for any services that may be considered forbidden, illegal and immoral in the home country of the user.
This depends on the operator as each network independently develops its commercial model, pricing and terms for the use of Mobile Connect. You will need to read and agree to each operator’s own terms and conditions.
That said, Mobile Connect is delivered worldwide through a multitude of network operators and some will allow the use of Mobile Connect Authenticate without charge.
For those operators not using these standard terms and condition, either for Mobile Connect Authenticate, or any other Mobile Connect services just contact the network operators. Check out the Operators page to find their contact information.
In order to avoid issues for the users, traffic levels for all applications and services are monitored and limitations may be imposed. An Operator may have its own rules for service limitations so you would need to refer to their terms and conditions.