Smart delivery
Push first, SMS magic link as automatic fallback, but never an unwanted SMS: a user timeout or explicit reject ends the flow instead of triggering a fallback message.
Second-factor authentication as a REST API: send a phone number, get back an approval. Mideye delivers the challenge as a Mideye+ push or an SMS magic link, no server installation, no user directory, nothing to host.
POST /v1/flows/touch?sync=true Authorization: Bearer <access_token> { "msisdn": "+46701234567" }
{ "status": "accepted", "authType": "TOUCH_APP" }
How it works
Perfect for SaaS applications and API-driven authentication: your application keeps its own login, Mideye adds the second factor.
One authenticated request with the user's phone number. Run it synchronously for a single blocking call, or asynchronously and follow the result by polling or a live Server-Sent Events stream.
Users with the Mideye+ app get an instant push prompt. Everyone else receives an SMS magic link, the fallback is automatic, no logic needed on your side.
A clear final status, accepted, rejected, or timeout, plus which channel delivered it, so you always know how the user approved.
Features
Push first, SMS magic link as automatic fallback, but never an unwanted SMS: a user timeout or explicit reject ends the flow instead of triggering a fallback message.
Block on a single call, poll a result URL, or subscribe to a Server-Sent Events stream for live status updates, whichever fits your architecture.
Customize the push title, prompt text, button labels, and SMS text per request. Your brand, your language, your wording.
Per-number rate limiting with sliding windows keeps OTP spam and prompt bombing off your users' phones. OAuth 2.0 client-credentials security on every call.
Hardware tokens too: a separate verify endpoint validates OATH, YubiKey, and HID one-time passwords for users without phones.
Data residency
The cloud service runs on Nordic hosting with Nordic enterprises. User phone numbers and authentication logs stay in the EU/EEA, designed for GDPR compliance requirements.
Data processed and stored in the Nordic countries.
Mideye infrastructure within the EU/EEA.
Mideye AB, headquartered in Stockholm since 1999.
Use cases
Require a second factor for sensitive operations, changing account details, large transfers, admin actions, without re-architecting your login.
Confirm payments and orders with a push prompt that shows exactly what the user is approving.
A recorded approval from the signer's own phone as part of your signing flow.
Add MFA to customer-facing logins where you know a phone number but manage no directory.
The same API powers the Mideye Credential Provider for Windows logon, and our upcoming Entra ID external MFA and Keycloak integrations, both in beta.
Interface
| Field | Required | Description |
|---|---|---|
msisdn | Yes | Phone number in international format (e.g., +46701234567) |
timeout | No | How long to wait for the user, 10–60 seconds (default: 30) |
display.title | No | Push notification title |
display.authenticationText | No | Main text shown in the approval prompt |
display.smsText | No | Custom SMS message text |
display.buttonAcceptText / display.buttonRejectText | No | Custom button labels |
accepted User approved
rejected User rejected
timeout No response in time
pending Awaiting the user (async)
Every final result also reports the channel that delivered it, app push or SMS magic link.
Get API credentials and integration support from our engineers, most teams make their first successful call the same day.
We use cookies and analytics to improve your experience and understand how our site is used. Privacy Policy