Which API should I use?

Google Play services has two APIs you can use to streamline the SMS-based verification process: the SMS Retriever API and the SMS User Consent API.

The SMS Retriever API provides a fully automated user experience and should be used when possible. It does, however, require you to place a custom hash code in the message body, and this may be difficult to do if you're not the sender of that message.

If you don't have control over the contents of the message—for example, if your app works with a financial institution that might want to verify the user's phone number before approving a payment transaction inside your app—then you can use the SMS User Consent API, which does not require the custom hash code. It does, however, require the user to approve your app's request to access the message containing the verification code. In order to minimize the chances of surfacing the wrong message to the user, SMS User Consent will check if the message contains a 4-10 character alphanumeric code containing at least one number. It will also filter out messages from senders in the user's Contacts list.

The differences are summarized in the table below:

SMS Retriever SMS User Consent
Message requirements 11-digit hash code that uniquely identifies your app 4-10 digit alphanumeric code containing at least one number
Sender requirements None Sender cannot be in the user's Contacts list
User interaction None One tap to approve