Scribd
Upload
23 views4 pages

OTP Bypass Flow Documentation

This document outlines the OTP bypass flow in the front-end system, detailing the sequence of API calls and expected responses. It describes the process of fetching an OAuth token, initiating registration, and handling OTP bypass based on the 'next' parameter in the response. If the 'next' value is '/login', the user is directed to the MPIN entry screen, bypassing OTP verification, and upon successful MPIN authentication, the user is logged into the Dashboard.

Uploaded by

Daniyal Shafiq
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
23 views4 pages

OTP Bypass Flow Documentation

This document outlines the OTP bypass flow in the front-end system, detailing the sequence of API calls and expected responses. It describes the process of fetching an OAuth token, initiating registration, and handling OTP bypass based on the 'next' parameter in the response. If the 'next' value is '/login', the user is directed to the MPIN entry screen, bypassing OTP verification, and upon successful MPIN authentication, the user is logged into the Dashboard.

Uploaded by

Daniyal Shafiq
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

OTP Bypass Flow Documentation​

Overview​
This document explains the exact logic of OTP bypass flow in the front-end (FE) system. It details
the sequence of API calls, expected responses, and how the bypass logic is handled.​
Step 1: Fetch OAuth Token​
URL:​
1 https://api-gw.jazzcash.com.pk/jazzcash/app-catalog/rest/api/oauth-
provider/oauth2/token

Method: POST (Response Code: 200 )​


Headers:​
1 {
2 "DIGITAL-SIGNATURE":
"3a04a7625b5bfb28634c91fdd3c92ddcd3d89ef2e137ec19c9b8dd76bac41a0e",
3 "X-HASH_VERSION": "v1",
4 "Content-Type": "application/x-www-form-urlencoded",
5 "Accept": "application/json"
6 }

Parameters:​
1 client_id=ed3d867b397c167a97f904ac8ab72c7e&client_secret=475cb986dc1b74b15b31f
29a85e3a568&grant_type=client_credentials&scope=user

Response:​
1 {
2 "consented_on": 1738431777,
3 "scope": "user",
4 "token_type": "Bearer",
5 "access_token": "<ACCESS_TOKEN>",
6 "expires_in": 3600
7 }

Step 2: Initiate Registration​


Init Registration process starts when the user enters a valid account number or mobile number.​
URL:​
1 https://api-gw.jazzcash.com.pk/jazzcash/app-
catalog/rest/api/v1/registration/init

Method: POST (Response Code: 200 )​


Headers:​
1 {
2 "X-APP-TYPE": "IOS",
3 "X-ENV": "debug",
4 "X-DEVICE-TYPE": "ios",
5 "X-DEVICE-MODEL": "iPhone17,1",
6 "x-ip-address": "1.1.1.1",
7 "X-device-make": "Apple",
8 "mixpanelID": "$device:3F88A0D1-14F1-479B-9BB2-3C6D7D3D2E3B",
9 "Content-Type": "application/json",
10 "x-msisdn": "03359214651",
11 "Authorization": "Bearer <ACCESS_TOKEN>",
12 "X-APP-VERSION": "5.4.3.4",
13 "X-DEVICE-MANUFACTURER": "Apple",
14 "DIGITAL-SIGNATURE":
"01a443d2c4b4093ade4b3d5c3a2ea5ec34b233fc41810eec4f511d002b7eb55f",
15 "X-VERSION": "5.4.3.4",
16 "X-device-id": "B7EAD88B-04F5-4050-8BF5-1C46F2D86240",
17 "X-HASH_VERSION": "v1",
18 "x-ibm-client-id": "ed3d867b397c167a97f904ac8ab72c7e",
19 "x-channel": "consumerApp"
20 }

Parameters:​
1 {
2 "additionaldetails": {
3 "key1": "",
4 "key2": ""
5 },
6 "remarks": ""
7 }

Response:​
1 {
2 "success": true,
3 "responseCode": "AM-REG-T88",
4 "message_en": "The transaction completed successfully",
5 "message_ur": "The transaction completed successfully",
6 "data": {
7 "msisdn": "923359214651",
8 "isJazzCustomer": false,
9 "CRMCall": true,
10 "next": "/login",
11 "deviceRegisterExpiryTS": "2024-05-23T15:52:20.177Z",
12 "deviceRegisterTS": "2024-05-16T15:52:20.177Z",
13 "currentDateTime": "2025-02-01T17:45:42.572Z"
14 }

Step 3: Handling OTP Bypass​


The key logic for OTP bypass lies in the next parameter in the response. The possible values
for next include:​
1 enum NextType: String {
2 case verifyOTP = "otp/verify"
3 case verifyOTPUSSD = "ussd/otp/verify"
4 case deviceRegister = "registration/device/register"
5 case createMpin = "/mpin/create"
6 case resetMpin = "/mpin/reset"
7 case changeMpin = "/mpin/change"
8 case login = "/login"
9 case verifyOTPDoarmant = "dormant/otp/verify"
10 }
If next is /login , the OTP step is bypassed, and the user is taken directly to the MPIN entry
screen.​
Step 4: MPIN Authentication and Login​
After the MPIN is entered, the system calls the oauth/token API again, sending the
client_id , client_secret , encrypted MPIN, and other required parameters to the body.​

Upon successful response, the user is logged into the Dashboard.​


Conclusion​
The OTP bypass mechanism relies on the value of the next parameter returned by the
registration/init API. If next is /login , the user proceeds directly to the MPIN entry
step, skipping OTP verification. After successful MPIN authentication, an access token is
retrieved, and the user is logged in.​

You might also like