GSMA Open Gateway API Descriptions

• Fraud prevention in banking: a bank may query the API when a transaction appears suspicious. The SIM swap information feeds into the bank risk decision engine and security measures are applied accordingly by the bank
• Fraud prevention for password reset (various sectors): password reset is often protected via a mobile verification e.g. SMS One Time Password. The online service provider may query the API to secure the mobile verification. A recent SIM swap may indicate a risk of account takeover fraud and the service provider can adapt the security measures accordingly.

• Remote control of machines and vehicles (e.g. Automated Guided Vehicles, drones, robotic arm, factory production line): applications requiring remote control of machines or vehicles require stable data throughput and low latency. The requirements may change dynamically (e.g. piloting a drone vs drone transmitting video data) or not (e.g.specialised robotic arm or remote maintenance). The application requests the required Quality On Demand from the mobile network via the API each time the requirements change. The API can also apply over private networks and network slices.
• Real-time media and entertainment (e.g. gaming, real-time streaming): online gamers and viewers of real-time streaming media require a guaranteed level of quality to ensure good user experience. The application requests the required Quality on Demand from the mobile network via the API.

Minimised production line downtime. Factory floor flexibility.

Guaranteed quality may be critical for safety reasons (moving objects or vehicles).

Enhanced end-user experience.

• Service delivery: a content provider may need to enforce territory restrictions for their content. For instance a broadcaster or streaming service may only have rights to broadcast a piece of content in their domestic market. Through the Device status API, the content provider can check that the end-user is located in the content provider domestic market. ​
• Fraud prevention (e.g. banking, payments, commerce): a bank may query the API upon detecting a transaction from an unexpected country. The roaming information feeds into the bank risk decision engine and security measures are applied accordingly by the bank. ​
• Regulatory compliance: a customer may need to be within a certain jurisdiction, or outwith others, in order for transactions to be authorised​

Decreased fraud risk without additional friction for the user.

• App onboarding (banking app, social media, ride share, mobile wallet, …): SMS One Time Password is widely used to prove that the user is in possession of the mobile device associated with the mobile number used for registration. However it adds friction to the user journey. The application can instead request a seamless authentication of the mobile device via the API.
• App login: in place of username/password, the application can request seamless authentication of the mobile device.
• Application password reset: the user journey often relies on SMS One Time Password. As in the app onboarding use case, the application can instead request a seamless authentication of the mobile device via the API.

Lower risk of compromise (by social engineering or interception)

• All edge cloud use cases e.g. automotive, mixed/augmented reality, high resolution video streaming, cloud gaming, remote control of moving objects or vehicles: for an application deployed in telco edge cloud or hyperscaler edge cloud, the device needs to be informed of the Edge-Cloud node to access. The application queries the API and is informed of the nearest Edge-Cloud node to connect to. It can then perform a DNS lookup to route traffic to this node.

Enables selection of and routing towards the nearest edge cloud node, generally optimising network performance by minimising propagation delay. ​

​More accurate selection based on Operator network topology rather than geolocation. 

• Onboarding to digital service (banking, social media, gig economy, retail, …): SMS One Time Password is used to prove that the user is in possession of the mobile device associated with the mobile number used for onboarding. This increases confidence for future uses of the mobile number and reduces instances of fake accounts creation.
• High-value transactions: in order to reduce payment fraud, the user may be asked to enter the OTP code sent to their registered mobile number.
• Account management e.g. password reset: to protect against account takeover, sensitive account management actions can be protected by requesting a second factor authentication by the end-user.

Increased security over single-factor authentication (username/password) or in card-not-present scenarios.

Prevent fake accounts creation (bots).

• Mobile payments across media, gaming, mobile services, ticketing, content, and other digital services: when reaching checkout online, the user gets the option to pay by mobile. If chosen, the merchant requests payment via the Carrier Billing API. The payment amount is added to the user’s phone bill or deducted from their prepaid balance. The settlement from the mobile operator to the merchant takes place to cover all users’ payments over a defined period.

Increased conversion for merchants

• Fraud prevention (banking, payments): a bank may query the API upon detecting a cash withdrawal or credit card use attempt from an unexpected location. The location verification feeds into the bank risk decision engine and security measures are applied accordingly by the bank.
• Traffic management of drones: the Uncrewed Aircraft System Traffic Management or the drone operator can obtain drone location information from its GPS data, however this is vulnerable to jamming or spoofing. They can query the API to verify the drone location, e.g. for law enforcement purposes or to check compliance with approved flight plan.
• Retail marketing: a retailer Edge Application may query the API to verify that a user is close enough to a physical location before pushing a notification to them.
• Protection of assets e.g. logistics, indoors factory tools (depending on available accuracy): the fleet manager can check if assets are in their expected location.

Independent and reliable verification of the location reported by a drone GPS.

Geotargeted marketing