Whatsapp verification doesn't verify anything

[Zeynal7]

I don't send any number to the server and I don't get any number to verify that the user is the one that sent the message.

It is not possible to verify based on only the IP address.

For example, User writes +123456789 and wants to verify this number. I send request to backend and get whatsapp url, and open that url for the user. User can open this url and send the message using any whatsapp number he wants. He may open it using +123456789 or +987654321.

You should instead accept phone number parameter when I want to start verification process. And compare the phone number from which you have received the message from. If the phone numbers match, then it is verified. If not you should inform the user that the number is not correct. And cannot be verified.

[Zeynal7]

Found that there is a result service that returns the number back. It should have been shown before starting OTP explanation. And I believe that this kind of verification is still incorrect. You should get the number when I start the verification process (when I get whatsapp url), so when user sends message, you can directly show that user didn't send the message from expected number. Instead user gets a message saying that the number is verified. And I should be the one to handle the case afterwards and show an error - saying you didn't really verify anything which might be a bad user experience.

Last Step : Complete Validation
This is where you will get your user's credentials such as phone number et cetera. You can complete the validation by sending the "session id" parameter of the validation here.

Example curl request
curl  --request POST 'https://api.verifykit.com/v1.0/result' \
--header 'X-Vfk-Server-Key: YOUR-SERVER-KEY' \
--header 'X-Vfk-Forwarded-For: END-USER-IP-ADDRESS' \
--header 'Content-Type: application/json' \
-d '{"sessionId":"SESSION-ID-OF-VALIDATION"}'
Example response body
{
    "meta": {
        "requestId": "REQUEST-ID",
        "httpStatusCode": 200
    },
    "result": {
        "validationType": "whatsapp",
        "validationDate": "Y-m-d H:i:s",
        "phoneNumber": "+9......",
        "countryCode": "TR"
    }
}

[Zeynal7]

I am starting to understand how the verifyKit is meant to work. But, it would be better to have optional parameter of phone number when I start verification to compare with the sender. Because I might want to limit which phone numbers can be verified. For example, my app only accept Azerbaijani phone numbers, therefore, I have validation when user enters their phone number. After user enters their phone number, I ask them to choose the verification method. When they choose whatsapp, they could send the message from a number that is not an Azerbaijani. And then, I should show an error to explain that the message was not send from expected number. VerifyKit on the other hand, gets the whatsapp message, and returns which phone number was used to send it. I think it would be better to have phone number parameter before user send any message.

[gokhantunckale]

Hi,

Thank you for your feedback. As you said, it is a good suggestion to take the phone number as a parameter when starting the verification steps and to compare it in the last step. However, this may not be suitable for everyone's business rules.

In WhatsApp verification, we guarantee that the phone number we provide in the last step is a real number used in WhatsApp.

If you want, you can get a phone number from your end-users, and after verification is complete, you can compare the phone number you received from VerifyKit with the phone number you originally received.

I hope we were able to help you. Feel free to contact us here or via the sdk@verifykit.com email address whenever you want.

Regards, VerifyKit Team

[Zeynal7]

I understand your point. I only meant as an optional parameter.

If you have phone number parameter when I start verification, then you can compare and send whatsapp response according to the result. (if numbers match, send message that you number is verified. If not, send a message that there is problem). Because otherwise, users might get confused, because whatsapp says it is verified, and my app says it is not.

Anyways, verifyKit is a great way to verify the number, so I will handle it on my end.