Purchase Restore and SMS Authentication
To support cross-device access to paid content, AppInChina provides a secure authentication system based on SMS verification. This system allows customers to log in across multiple devices while preserving their purchase history. It also enforces a maximum number of simultaneously active sessions per customer.
Using SMS login and token-based authentication, your app can reliably identify returning users and restore previous purchases securely.
If you’re deciding what to use for customerIdentity (regardless of your login provider), start with: Login → Payments integration (customer identity).
1. Authentication flow
1.1 On app launch
- Check for a stored token on the device.
- If a token exists:
- Call
GET /checkAuth.jsonto confirm its validity. - If valid, skip login and proceed to the main app.
- If invalid, proceed to the login screen.
- Call
- If no token exists, display the login screen.
1.2 Login flow
- Display a login screen prompting the user to enter their mobile number.
- Use
GET /sms.jsonto request a verification code. - Show a verification code input screen.
- Authenticate the user using
POST /auth.json. - Store the returned token securely.
- Proceed to the main application.
1.3 UI guidelines
- Screen 1: Phone number input
- Input: phone number field
- Button: “Send Code”
- Validation: show message if daily SMS limit is reached
- Screen 2: Code verification
- Input: 6-digit verification code
- Button: “Log In”
- Optional: countdown timer and resend option
2. API endpoints
2.1 Request SMS code
Each user is limited to a maximum of 5 SMS code requests per day. Additional requests will be denied until the next day.
Endpoint
GET /sms.json
Purpose
Send an SMS verification code to the customer.
Required headers
| Header | Description |
|---|---|
APP_ID | Your application ID |
APP_SECRET | Your application secret |
Request parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
mobileNo | string | ✅ | Customer’s phone number |
Success response
{
"msg": "success",
"code": 0,
"data": "ok"
}
2.2 Authenticate with SMS code
Endpoint
POST /auth.json
Purpose
Verify the customer’s SMS code and receive a session token.
Request parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
mobileNo | string | ✅ | Customer’s phone number |
authCode | string | ✅ | Verification code from SMS |
Success response
{
"msg": "success",
"code": 0,
"data": {
"customerId": "...",
"token": "..."
}
}
Store the returned token securely for use in future sessions.
2.3 Check token validity
Endpoint
GET /checkAuth.json
Purpose
Verify whether a previously stored token is still valid.
Request parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
token | string | ✅ | Token stored on the device |
Success response
{
"msg": "success",
"code": 0,
"data": true
}
true: token is validfalse: token is no longer valid (e.g., expired or invalidated)
3. Token and session management
- Token storage: store tokens securely using encrypted local storage (e.g., EncryptedSharedPreferences on Android).
- Validation timing: always call
/checkAuth.jsonwhen the app launches or resumes from background. - Device limit: when a user exceeds the allowed number of active sessions, older sessions are invalidated.
4. Best practices
- Never expose your
APP_SECRETin frontend code. - Validate stored tokens before allowing access to protected functionality.
- Prompt users clearly if their session has expired or been invalidated.
- Respect the 5-per-day SMS request limit with appropriate UI feedback for users.
- Implement retry and resend timers on the verification screen.