Add Phone Authentication to Your Node.js Backend

Wire carrier-grade phone authentication into an Express API using the official Glide Magical Auth Node.js SDK. Glide's Magical Auth service selects the strategy (TS43 / Link / Desktop) server-side from the carrier and the caller's device — your backend just signs the API calls and forwards them.

1

Install the SDK

Install the Glide Magical Auth Node.js SDK from npm. The SDK has zero runtime dependencies — it uses only Node.js built-ins (fetch, crypto). Node 18+ is required.

2

Initialize the client

Build a single thread-safe MagicalAuthClient at startup and reuse it across requests. The constructor accepts only what you actually need — no global state, no static singletons.

Store your credentials in environment variables — never commit them to code.

3

Create the REST endpoints

The frontend SDK calls three of your endpoints:

• /prepare — initialises the auth session. The SDK auto-generates a device-binding code for the Link strategy; you persist it as an HttpOnly cookie and return only the response payload.
• /process — routes to verifyPhoneNumber() or getPhoneNumber() based on the use case the frontend supplied.
• /complete — Link-only. Validates the device binding before the client is allowed to call /process.

Branch on result.authentication_strategy from the prepare response — not on hardcoded carrier names or User-Agent sniffing. Glide's service has already done that work and tells you the answer.

4

Anti-fraud signals (SIM swap + device swap)

Both verifyPhoneNumber() and getPhoneNumber() responses include SIM swap and device swap (IMEI-change) fraud signals. Each carries a risk_level, age_band, carrier_name, and checked_at when the upstream check succeeded; on failure, checked is false and reason explains why.

Use these to gate high-risk operations (large transfers, password resets, account recovery) — a recent SIM swap is a strong signal of an account-takeover attempt.

5

Device binding (Link strategy)

The Link strategy runs in two modes — mobile-web (the carrier returns the user to a new browser tab on your completion page) and native (Universal Links on iOS, App Links on Android). In both modes, device binding is mandatory: the SDK auto-generates a 64-char binding code during prepare(), hashes it, and sends the hash to Glide. After the carrier redirect lands on your completion page, the SDK validates both halves via complete().

This prevents session-fixation attacks where an attacker tricks a victim into authenticating on the attacker's session.

Read the full Device Binding Security guide →

6

Next steps

Your Node.js backend is ready.

• Device Binding Security (Link strategy)
• Wire up the Web frontend SDK
• Wire up the React Native frontend SDK

npm install express cors dotenv @glideidentity/glide-be-node-magical-auth
npm install --save-dev @types/express @types/cors @types/node typescript tsx

Read-only