Get Auth0 user's complete Guardian phone number from Management API

Question

I'm using Auth0 as my authentication provider. I've enabled Guardian to facilitate SMS based MFA (Multi Factor Authentication). When a new user signs up, Auth0 registers their phone number.

My system provides users the option of opting into SMS messaging on topics of interest to them. Unfortunately when I query the Management API I'm given a masked version of the phone number (i.e. "+61 XXXXX2407"). I would like to get their complete phone number as registered from Auth0 rather than asking them to enter it again.

How can I go about retrieving the complete phone number from Auth0's Guardian?

Answer 1

After two years, Auth0 finally provide a feature to disable phone number obfuscation. :)

Given a management API token with the proper permitted scope, this is how to get the user's phone number used in MFA:

1. Send PATCH /api/v2/tenants/settings to disable the phone number obfuscation.

The request body should contain:

{
  "flags": { 
    "disable_management_api_sms_obfuscation": true
  }
}

2. Send GET /api/v2/users/{id}/enrollments to get the user's first confirmed MFA enrollment ID.

The id field is the user id. The response body should contain an MFA enrollment id. For MFA using SMS, you would want an id that begins with sms|dev_. Save this id for the next step.

3. Send GET /api/v2/guardian/enrollments/{id}

The id field is the MFA enrollment id. The phone number should now be deobfuscated.

Reference:

Getting Users Phone Number

Footnote:

As recently discussed here, to get all authenticators by a user, you would use GET /api/v2/users/{id}/authenticators. The response will include the entry obtained in the step 2 above. However, this is not documented yet as of now.