Getting started
Introduction
The SimSwap API provides the customer the ability to obtain information on any recent SIM pairing change related to the User's mobile account.
API Scope
The current API implementation is applicable to any mass-market masOrange, jazztel customers.
Subscribe to the API
You have to register your application on the Orange Developer Console and subscribe to it.
API Authentication
HTTPS requests to the REST API are protected with CIBA 3-Legged OAuth.
In short, the API Invoker (e.g. Application Backend or Aggregator) before to request SIM swap check, needs to request a Three-Legged Access Token from Orange Authorization Server. The process follows the OpenID Connect Client-Initiated Backchannel Authentication (CIBA) flow.
Step 1: request the OAuth authorization code from the Application Backend
The API Invoker provides in the authorization request (/bc_authorize) a login_hint with a valid User identifier together with the application credentials (client_assertion & client_assertion_type) and indicates the Purpose for processing Personal Data. The Orange implementation follows the CAMARA scope definition. The scope must be set to: opendid dpv:<dpvValue> <technicalParameter>
. dpv
stands for Data Privacy Vocabulary.
Note on JWT usage via client assertion: client_assertion
is a JWT used by a client to authenticate itself to an authorization server, while client_assertion_type
specifies the type of assertion being used, typically indicating it is a JWT. Together, they facilitate secure client authentication in OAuth 2.0 and OpenID Connect protocols. API consumer as to define JWK keystore in settings tab of the application in Orange Developer
For current implementation FraudPreventionAndDetection
dpv value is managed, which means that:
- to check the SIM Swap date the scope in the
bc-authorize
must be set toopenid dpv:FraudPreventionAndDetection sim-swap
- to get the latest SIM Swap date the scope in the
bc-authorize
must be set toopenid dpv:FraudPreventionAndDetection sim-swap
.
(NB : please note that current implementation only supports global scope "sim-swap").
Orange Authorization Server will check if the owner of the phone number did not opted-out to authorize access to this data. If this is not the case a response 200 is sent back with a authorization request identifier (auth_req_id
). If the resource owner or OpenID Provider denied the request an error 403 Forbidden is sent back.
Request:
curl -X POST \
'https://api.orange.com/es/openapi/oauth/v2/bc-authorize' \
--header 'Accept: */*' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'login_hint=tel:+34654654654' \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
--data-urlencode 'client_assertion=eyJhbGciOi...zif0Tjxzw' \
--data-urlencode 'scope=openid dpv:FraudPreventionAndDetection sim-swap'
Response:
200
Content-Type: application/json
{
"auth_req_id": "69957d77-...-b29f22e61307",
"expires_in": 120,
"interval": 2
}
Step 2: Request the OAuth access token
Once the client application gets the authorization code, the API Invoker polls the token endpoint by making an "HTTP POST" request by sending the grant_type (urn:openid:params:grant-type:ciba), auth_req_id (OperatorAuthReqId) and the the application credentials (client_assertion & client_assertion_type) parameters
If the transaction succeeds, in the POST
response, the acccess_token
is provided.
Request:
curl -X POST \
'https://api.orange.com/es/openapi/oauth/v2/token' \
--header 'Accept: */*' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
--data-urlencode 'client_assertion=eyJhbGciOi...zif0Tjxzw' \
--data-urlencode 'auth_req_id=69957d77-...-b29f22e61307' \
--data-urlencode 'grant_type=urn:openid:params:grant-type:ciba'
Response:
200
Content-Type: application/json
{
"access_token": "OFR_28FpNfX...7lwFAg3LR0vmHCOmJAg7Si",
"token_type": "Bearer",
"expires_in": 119,
}
Step 3: Access protected resources using OAuth access token
In order to call our API, the access_token
is mandatory.
Specific documentation about SIM swap resources is provided below.
API Description
Base URL
The Base URL is the first part of the full invocation URL, just before the resource paths defined in the API reference.
The Base URL is comprised of the scheme ('https'), the authority (i.e. the Fully Qualified Domain Name) and the API base path.
Whenever you request this API and encounter a 404 (Not Found) HTTP status code, please check first that the Base URL is correct.
The Base URL for this API is: https://api.orange.com/camara/oes/sim-swap/v1
The documentation below assumes that, whenever you make requests on this API, you are prepending the Base URL to the resource paths defined for this API.
Resources
This API has two resources which have their own parameters.
/retrieve-date (POST)
This service returns the timestamp of the most recent SIM card change, capturing the latest alteration between a specific mobile phone number and its corresponding SIM card unique identifier (IMSI).
Request
Parameter | Description | Usage | Location | Type |
---|---|---|---|---|
phoneNumber | Subscriber number in E.164 format (starting with country code). Optionally prefixed with '+'. | Mandatory | body | String |
As an example:
curl
--request POST \
--header 'Authorization: Bearer *****' \
--header 'Content-type:application/json' \
--data '{"phoneNumber": "+34654654654"}'
'https://api.orange.com/camara/oes/sim-swap/v1/retrieve-date'
Response
a/ If the transaction succeeds
On success, the SimSwap API returns a 200 OK HTTP status code with JSON data including the 'latestSimChange' property with information about SIM swap change.
Parameters | Description | Usage | Location | Type |
---|---|---|---|---|
latestSimChange | Timestamp of latest SIM swap performed, following RFC 3339 in UTC format. | Mandatory | body | String |
As an example:
HTTP/1.1 200 OK
{
"latestSimChange": "2023-09-05T13:57:55.707Z"
}
b/ If the transaction fails
Please visit the common error responses section in this page.
/check (POST)
Checks if SIM swap has been performed during a past period.
Request
Parameter | Description | Usage | Location | Type |
---|---|---|---|---|
phoneNumber | Subscriber number in E.164 format (starting with country code). Optionally prefixed with '+'. | Mandatory | body | String |
maxAge | Period in hours to be checked for SIM swap. | Mandatory | body | integer |
As an example:
curl
--request POST \
--header 'Authorization: Bearer *****' \
--header 'Content-type:application/json' \
--data '{"phoneNumber": "+34654654654","maxAge": 240}'
'https://api.orange.com/camara/oes/sim-swap/v1/check'
Response
a/ If the transaction succeeds
On success, the SimSwap API returns a 200 OK HTTP status code with JSON data including the 'swapped' property indicating if SIM swap has been performed during the period.
Parameters | Description | Usage | Location | Type |
---|---|---|---|---|
swapped | Indicates whether the SIM card has been swapped during the period within the provided age. | Mandatory | body | boolean |
As an example:
HTTP/1.1 200 OK
X-Orange-Trace-Id: 428fe874f806e88e243f73c730103279531ed1e1
{
"swapped": true
}
b/ If the transaction fails
Please visit the common error responses section in this page.
Common error responses
In case of error, the SimSwap API returns an error response (JSON format) with the following information:
Parameters | Description | Usage | Location | Type |
---|---|---|---|---|
status | HTTP response status code | Mandatory | body | integer |
code | Code given to this error | Mandatory | body | String |
message | Detailed error description | Mandatory | body | integer |
This is compliant with CAMARA Project specifications, which can be read here. Below is a list of possible error responses.
Problem with the client request:
HTTP/1.1 400 Bad Request
Content-Type: application/json
{
"status": 400,
"code": "INVALID_ARGUMENT",
"message": "Client specified an invalid argument, request body or query param"
}
Authentication problem with the client request:
HTTP/1.1 401 Unauthorized
Content-Type: application/json
{
"status": 401,
"code": "UNAUTHENTICATED",
"message": "Request not authenticated due to missing, invalid, or expired credentials"
}
Client is authenticated correctly but does not have sufficient permissions:
HTTP/1.1 403 Forbidden
Content-Type: application/json
{
"status": 403,
"code": "PERMISSION_DENIED",
"message": "Client does not have sufficient permissions to perform this action"
}
Resource not found (it can be an error in the pathsuffix of the URL, or an unknown phone number):
HTTP/1.1 404 Not Found
Content-Type: application/json
{
"status": 404,
"code": "NOT_FOUND",
"message": "The specified resource is not found."
}
The URL of the request is right but it has been made with a method (HTTP verb) not allowed:
HTTP/1.1 405 Method Not Allowed
Content-Type: application/json
{
"status": 405,
"code": "METHOD_NOT_ALLOWED",
"message": "The requested method is not allowed/supported on the target resource."
}
There is another request created for the same MSISDN:
HTTP/1.1 409 Conflict
Content-Type: application/json
{
"status": 409,
"code": "CONFLICT",
"message": "Another request is created for the same MSISDN"
}
Exceeded requests per hour/minute limit:
HTTP/1.1 429 Too Many Requests
Content-Type: application/json
{
"status": 429,
"code": "TOO_MANY_REQUESTS",
"message": "Either out of resource quota or reaching rate limiting."
}
Generic internal server error (also used by default if the error doesn't fit any of the ones detailed in this section):
HTTP/1.1 500 Internal Server Error
Content-Type: application/json
{
"status": 500,
"code": "INTERNAL",
"message": "Server error"
}
Service temporarily unavailable or host not reached:
HTTP/1.1 503 Service Unavailable
Content-Type: application/json
{
"status": 503,
"code": "UNAVAILABLE",
"message": "Service unavailable"
}
Request time limit exceeded:
HTTP/1.1 504 Gateway Timeout
Content-Type: application/json
{
"status": 504,
"code": "TIMEOUT",
"message": "Request timeout exceeded. Try later"
}
History of document
Version of the document | modification date | description of modifications |
---|---|---|
0.4.0 | 19/02/2025 | First version described by Orange CAMARA APIs team |
1.0.0 | 27/08/2025 | Update authentication part and path to be compliant with CAMARA v1 version of the API |