Add Phone Authentication to Your Node.js Backend

Set up the backend API endpoints that your frontend SDK calls using the Glide Node.js SDK.

1

Install the SDK

Install the Glide Node.js SDK.

2

Initialize the Client

Create a GlideClient with your client credentials.

Store your credentials in environment variables - never commit them to code.

3

Create API Endpoints

Create four endpoints for the frontend SDK:

• /prepare - Initializes the auth session
• /report-invocation - Reports prompt was shown (fire-and-forget)
• /process - Routes to verifyPhoneNumber() or getPhoneNumber()
• /complete - Validates device binding codes (Link protocol only)

4

API Methods Reference

The SDK provides four main methods:

• prepare() - Initialize authentication session
• reportInvocation() - Report prompt was shown (fire-and-forget)
• verifyPhoneNumber() - Confirm user owns a phone number
• getPhoneNumber() - Retrieve phone from device

5

Error Handling

Handle specific error codes from the SDK.

6

Anti-Fraud Signals

Both verifyPhoneNumber() and getPhoneNumber() responses include SIM swap and device swap (IMEI change) fraud detection signals.

Each signal includes risk_level, age_band, carrier_name, and checked_at.

7

Device Binding (Link Protocol)

For Link protocol sessions (e.g., Verizon via App Clips), device binding is mandatory. Your backend must generate a cryptographic code, hash it, and send the hash during /prepare. After carrier auth, a second code arrives via URL fragment, and your backend validates both codes via /complete.

This prevents session fixation attacks where an attacker could phish a victim into authenticating on the attacker's session.

Read the full Device Binding Security guide →

8

Next Steps

Your backend is ready! Now set up the frontend.

• JavaScript Frontend Quickstart
• React Frontend Quickstart
• Device Binding Security (Link Protocol)
• Complete example repo

npm install @glideidentity/glide-be-sdk-node

Read-only