Account takeover protection documentation
Account Takeover Protection (ATP) / SIM Swap
KPN currently supports Account Takeover Protection following the CAMARA SIM Swap Specification V0.
API specification
Sim swap API
The sim swap API enables a service to be initiated even when the user is not interacting with a Service Provider. Access Tokens are requested using Client Id and Client Secret. The Access Token is valid for a limited time period and is not tied to a specific user. So, one Access Token can be used for several resource requests, as long as the validity period of the Access Token has not expired. The Resource Request specifies for which user (MSISDN or phone number) the ATP data should be retrieved.
Flow Diagram
Getting started
Make sure you've read What's in it for you for more info on how to register and start testing APIs.
Authentication
The API follows the KPN Store API Authentication Standard to secure the API. It includes the use of OAuth 2.0 client_id and client_secret to receive an access token.
Go to the Authentication tab on top of this page to find out how to:
- Authenticate to an API using cURL.
- Authenticate to an API on Swaggerhub.
- Import Open API Specifications (OAS), also called Swagger files into Postman.
Resource Request
In below examples the Access Token obtained is used as bearer token for request authorization. For Sim Swap the POST method should be used,with the phone number in the body of the request.
The Resource Request has the following URL
POST https://api-prd.kpn.com/kpn/sim-swap
Request Header
| Header | Description |
|---|---|
| Authorization | Bearer Access Token obtained as described in paragraph: “Access Token Request” For example: Authorization: Bearer *** |
Authorization ON format
{
"phoneNumber": "+346661113334"
}
The response body for ATP contains a time stamp when the last sim change occurred.
Response
{
"latestSimChange": "2023-10-29T17:38:22.306Z"
}
In case there is an error; you will see for example the following information in the response body:
Response
{
"status": 400,
"code": "INVALID_ARGUMENT",
"message": "Client specified an invalid argument, request body or query param"
}
Error codes
Below are the most common error codes that you may encounter using the service.
| Status | Code | Message |
|---|---|---|
| 400 | INVALID_ARGUMENT | Client specified an invalid argument, request body or query param |
| 401 | UNAUTHENTICATED | Request not authenticated due to missing, invalid, or expired credentials |
| 403 | PERMISSION_DENIED | Client does not have sufficient permissions to perform this action |
| 404 | SIM_SWAP.UNKNOWN_PHONE_NUMBER | SIM Swap can't be checked because the phone number is unknown |
| 409 | CONFLICT | Another request is created for the same MSISDN |
| 500 | INTERNAL | Server error |
| 503 | UNAVAILABLE | Service unavailable |
| 504 | TIMEOUT | Request timeout exceeded. Try later |
