Android O: Phone Number Verification With SMS Tokens

In this tutorial, you’ll learn about the cool new SMS token feature in Android O. You’ll learn how to generate an app-specific token that will fire up a pending intent when the device first receives a message containing that token so as to verify the phone number. 

Kindly note that as of this writing, the Android O APIs are still in their third developer preview, though they are final. (We still don’t know what O stands for yet!)

What Is an SMS Token?

An SMS token or one-time password is a security mechanism used to authenticate or verify a user. The user enters their phone number, and a limited lifespan token is generated specifically for that user. The user then receives the token as an SMS to their phone. In the case of Android O as of this writing, this app-specific token does not expire, but instead becomes invalid when another is generated. 

Why Use Android O’s SMS Token?

One of the major reasons you might consider using Android O’s SMS token mechanism is that it improves the user experience of the app. The user does not need to copy and paste the token from the SMS client to be verified. Instead, the Android device automatically detects the token sent to the user’s device and then triggers the app component in the intent associated with your app (we’ll get to that shortly). 

Even better, this functionality doesn’t require the READ_SMS permission or any other. This mechanism also improves the security of your app user, because no other app can read the message containing the token on the device. 

In this tutorial, you’ll learn how to use this new feature in Android O’s SMS API. You’ll learn how to generate an SMS token specifically for your app and send it to a device. We’ll use the Android Studio emulator to simulate this process. 


To follow along with this tutorial, make sure you have downloaded the Android 8.0 (O) SDK platform on your computer and have an emulator already set up that targets this version. 

1. Generate the App-Specific Token

To start off, I’ll show you how to generate an app-specific token which is unique to your app on the user’s device.

Create a New Android Studio Project

Fire up Android Studio and create a new project with an empty activity called MainActivity.

Create a new Android Studio project

Modify the build.gradle File

Make the following changes to your app module’s build.gradle file. 

Modify the MainActivity Class

In the code snippet below, we get the SMSManager class and then call the method createAppSpecificSmsToken(). This does just what it says—it creates the app-specific SMS token. This method requires a PendingIntent which contains the Activity to be fired up when an SMS containing this token (a string 11 characters long) is received by the device. 

Be aware that, as stated earlier, the generated token is unique to your app on the user’s device. If you create another SMS token, the second one will be a valid token while the first one will be ignored. 

Lay Out the Screen

Here’s a MainActivity layout file set up to display the SMS token that was generated:

Running the app at this point will show the SMS token generated. 

Running the app at this point

2. Receive the SMS Token

Next, we’ll create the activity to be fired up when our device receives a message containing the SMS token. Nothing specific to SMS tokens happens here. 

Lay Out the Screen

Here we create the layout for the activity we created above that contains just one TextView

Next, we’ll test this functionality using the Android Studio emulator.

3. Test the SMS Token

Set Up the Emulator to Send SMS Messages

You can use your emulator to simulate receiving an SMS message, but you’ll need to do a little setup. Open your emulator, click the last button on the right-side navigation bar to open the extended control dialog, and then select the phone control button. 

Showing how to use the Emulator to simulate sending an SMS message

From this interface, you can simulate your device receiving a phone call or SMS from another phone.

Send the Token

Make sure you have set up your emulator that targets Android 8.0 (O). Generate a token and enter a text message that contains it. Then click the Send Message button.  

Sending a message with emulator

Finally, the activity we specified in the pending intent gets fired up immediately! Try sending the message again and see that this time, it will show up in the device SMS client instead, because it is no longer a valid token. 

Token result activity

Using a Server

For a production app, the SMS token will typically be sent by a back-end server. So when using a server, the client (your app) should make a request to the server, including the app generated token and the phone number. Your server will then receive this request and send the unmodified token back as a text message to the user’s phone. Your app will then receive this token and fire up the component registered in the pending intent. That component can then let the server know that the phone number verification or user authentication succeeded.


In this tutorial, you learned about the awesome SMS token feature introduced in Android O: what is it, its benefits, and how to use it in an Android app. 

To learn more about Android SMS and phone APIs, including how to make calls from your app, check out my related tutorial here on Envato Tuts+.

  • Android SDK
    How to Make Calls and Use SMS in Android Apps
    Chike Mgbemena

And check out some of our other courses and tutorials on Android app development!

  • Android SDK
    Android O: How to Use Notification Channels
    Chike Mgbemena
  • Android
    How to Solve Android’s 13 Most Common Error Messages
    Jessica Thornsby
  • Android SDK
    Create an Intelligent App With Google Cloud Speech and Natural Language APIs
    Ashraff Hathibelagal

Leave a Comment

Scroll to Top