Stay organized with collections
Save and categorize content based on your preferences.
Using SMS regions to protect your app from SMS abuse
This guide shows you how to use SMS regions to restrict Identity Platform SMS
verification usage and view usage metrics.
Overview of SMS regions
SMS regions is an Identity Platform feature you can use to protect your apps
from SMS abuse.
SMS abuse typically happens when a malicious actor causes a service to send SMS
through a carrier that they have a revenue sharing agreement with. SMS abuse can
lead to higher costs and damage your product's reputation with customers.
Because Identity Platform allows SMS phone authorizations, SMS abuse can occur.
The SMS regions feature lets you set which regions can receive SMS phone
authorizations.
The feature provides the following:
A Firebase console interface for you to set up your SMS region policy.
An API for you to set up your SMS region policy.
Metrics that can inform your decision to use an SMS region policy.
Set a region policy
This section describes an Identity Platform region policy. You can set up the
following types of policies, and only one can be active:
Allowlist-only: only the regions that you specify in an allowlist can receive phone
authorization requests.
Denylist-only: all regions can receive phone authorization requests except the ones you specify in a denylist.
After you change the configuration, the system immediately starts to enforce the
policy. It blocks phone authorization requests from the regions that are
disallowed by the policy based on the region code of the phone number.
Allowlist-only policy
To set up an allowlist-only policy, follow these steps:
Firebase console
In the Firebase console, go to the Firebase Auth Settings page.
Note that the metrics have a field region_code. You use this code to
view the regions that receive SMS authorizations.
Compute the verification success rate as
verification_success_rate = phone_verification_count/sent_sms_count, in a
particular region. Typically, verification success rates above 75% are considered acceptable.
A low verification_success_rate can indicate abuse, especially in a region in
which you wouldn't expect to have users. Typically, verification success rates below 75%
are considered low.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eSMS regions in Identity Platform help protect apps from SMS abuse by allowing you to control which regions can receive SMS phone authorizations.\u003c/p\u003e\n"],["\u003cp\u003eYou can set either an allowlist-only policy, which permits SMS messages only to specified regions, or a denylist-only policy, which blocks SMS messages to specified regions.\u003c/p\u003e\n"],["\u003cp\u003eSMS region policies can be configured through the Firebase console or via the Identity Toolkit API, and any changes made are immediately enforced.\u003c/p\u003e\n"],["\u003cp\u003eUsage metrics are available in the Google Cloud console to monitor SMS usage, including the number of SMS messages sent, blocked, and phone verifications, as well as the verification success rate per region.\u003c/p\u003e\n"],["\u003cp\u003eA low verification success rate, typically below 75%, may indicate potential SMS abuse, prompting the need to set a region policy to restrict SMS authorizations in those regions.\u003c/p\u003e\n"]]],[],null,["# Using SMS regions to protect your app from SMS abuse\n====================================================\n\nThis guide shows you how to use SMS regions to restrict Identity Platform SMS\nverification usage and view usage metrics.\n\nOverview of SMS regions\n-----------------------\n\nSMS regions is an Identity Platform feature you can use to protect your apps\nfrom SMS abuse.\n\nSMS abuse typically happens when a malicious actor causes a service to send SMS\nthrough a carrier that they have a revenue sharing agreement with. SMS abuse can\nlead to higher costs and damage your product's reputation with customers.\n\nBecause Identity Platform allows SMS phone authorizations, SMS abuse can occur.\n\nThe SMS regions feature lets you set which regions can receive SMS phone\nauthorizations.\n\nThe feature provides the following:\n\n- A Firebase console interface for you to set up your SMS region policy.\n- An API for you to set up your SMS region policy.\n- Metrics that can inform your decision to use an SMS region policy.\n\nSet a region policy\n-------------------\n\nThis section describes an Identity Platform region policy. You can set up the\nfollowing types of policies, and only one can be active:\n\n- **Allowlist-only:** only the regions that you specify in an allowlist can receive phone authorization requests.\n- **Denylist-only:** all regions can receive phone authorization requests except the ones you specify in a denylist.\n\nAfter you change the configuration, the system immediately starts to enforce the\npolicy. It blocks phone authorization requests from the regions that are\ndisallowed by the policy based on the region code of the phone number.\n\n### Allowlist-only policy\n\nTo set up an allowlist-only policy, follow these steps: \n\n### Firebase console\n\n1. In the Firebase console, go to the **Firebase Auth Settings** page.\n\n [Go to Firebase Auth settings](https://console.firebase.google.com/project/_/authentication/settings)\n 1. Select **SMS region policy** in the navigation pane.\n\n 2. Select **Allow**.\n\n 3. Click **Select regions**.\n\n2. Add only regions you want SMS messages to be sent to. Regions not on the list are blocked.\n\n3. Click **Save**.\n\n You can configure either an allowlist or a denylist but not both. Doing so overwrites any previous configuration.\n\n### Identity Toolkit API\n\n1. In the Google Cloud console, to print an access token for your project, run the following command:\n\n gcloud auth print-access-token --project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e\n\n2. Update your project configuration to include your new policy using the [Identity Toolkit API](/identity-platform/docs/reference/rest/v2/projects/updateConfig):\n\n curl -X PATCH -d \"{'sms_region_config':{'allowlist_only':{'allowed_regions':['\u003cvar translate=\"no\"\u003eREGION_LIST\u003c/var\u003e']}}}\" \\\n -H 'Authorization: Bearer \u003cvar translate=\"no\"\u003eACCESS_TOKEN\u003c/var\u003e' \\\n -H 'Content-Type: application/json' \\\n 'https://identitytoolkit.googleapis.com/admin/v2/projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/config?updateMask=sms_region_config'\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eACCESS_TOKEN\u003c/var\u003e: the access token you generated earlier.\n- \u003cvar translate=\"no\"\u003eREGION_LIST\u003c/var\u003e: one or more regions, for example, `IN` or `US`.\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: your project ID.\n\nYou must provide an [update mask](/identity-platform/docs/reference/rest/v2/projects/updateConfig#query-parameters) to prevent other fields from being changed.\n\n### Denylist-only policy\n\nTo set up a denylist-only policy, follow these steps: \n\n### Firebase Console\n\n1. In the Firebase console, go to the **Firebase Auth Settings** page and select **SMS region policy** in the navigation pane.\n\n [Go to Firebase Auth settings](https://console.firebase.google.com/project/_/authentication/settings)\n 1. Select **Deny**.\n\n 2. Click **Select regions**.\n\n2. Add any regions that you want to block sending SMS messages to. Regions not on the list will be allowed.\n\n3. Click **Save**.\n\n You can configure either an allowlist or a denylist but not both. Doing so overwrites any previous configuration.\n\n### Identity Toolkit API\n\n1. In the Google Cloud console, to print an access token for your project, run the following command:\n\n gcloud auth print-access-token --project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e\n\n2. Update your project configuration to include your new policy using the [Identity Toolkit API](/identity-platform/docs/reference/rest/v2/projects/updateConfig):\n\n curl -X PATCH -d \"{'sms_region_config':{'allow_by_default':{'disallowed_regions':['\u003cvar translate=\"no\"\u003eREGION_LIST\u003c/var\u003e']}}}\" \\\n -H 'Authorization: Bearer \u003cvar translate=\"no\"\u003eACCESS_TOKEN\u003c/var\u003e' \\\n -H 'Content-Type: application/json' \\\n 'https://identitytoolkit.googleapis.com/admin/v2/projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/config?updateMask=sms_region_config'\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eACCESS_TOKEN\u003c/var\u003e: the access token you generated earlier.\n- \u003cvar translate=\"no\"\u003eREGION_LIST\u003c/var\u003e: one or more regions, for example, `IN` or `US`.\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: your project ID.\n\nYou must provide an [update mask](/identity-platform/docs/reference/rest/v2/projects/updateConfig#query-parameters) to prevent other fields from being\nchanged.\n\nAccess regional SMS use metrics\n-------------------------------\n\nThis section describes how to view SMS use metrics.\n\nTo view the metrics, do the following:\n\n1. In the Google Cloud console, Go to the **Metrics explorer** page in Cloud Monitoring:\n\n [Go to Cloud Monitoring](https://console.cloud.google.com/monitoring/metrics-explorer).\n2. Select the following fields:\n\n - identitytoolkit.googleapis.com/usage/sent_sms_count,\n - identitytoolkit.googleapis.com/usage/blocked_sms_count, and\n - firebaseauth.googleapis.com/phone_auth/phone_verification_count.\n\n Note that the metrics have a field region_code. You use this code to\n view the regions that receive SMS authorizations.\n3. Compute the verification success rate as\n `verification_success_rate = phone_verification_count/sent_sms_count`, in a\n particular region. Typically, verification success rates above 75% are considered acceptable.\n\nA low `verification_success_rate` can indicate abuse, especially in a region in\nwhich you wouldn't expect to have users. Typically, verification success rates below 75%\nare considered low.\n\nIf you suspect SMS abuse, you can [set a region policy](#set-region-policy)."]]
