> ## Documentation Index
> Fetch the complete documentation index at: https://docs.didit.me/llms.txt
> Use this file to discover all available pages before exploring further.

# Check Phone Code

> Verify the OTP delivered by [`POST /v3/phone/send/`](/standalone-apis/phone-send) and get the final verification result plus phone intelligence: carrier name and line type, virtual (VoIP) and disposable flags, and duplicate usage of the number across your sessions.

**How the check finds the verification.** Matching is by your application plus the E.164 `phone_number` — `request_id` is not an input. The most recent pending verification created within the last **5 minutes** is checked. If there is none (never sent, already finalized, or older than 5 minutes) the endpoint returns `200` with `status: "Expired or Not Found"`.

**Attempt budget.** Each verification allows **3 code attempts**. The first two wrong codes return `status: "Failed"` with the attempts remaining and `phone: null`; the third wrong code finalizes the verification as `Declined` with a `VERIFICATION_CODE_ATTEMPTS_EXCEEDED` warning and returns the full phone report.

**Outcomes.** `Approved` — correct code and no declining risk. `Declined` — terminal: the code was correct but a declining risk matched (a `DECLINE` action below, a blocklisted or high-risk number), or the attempt budget was exhausted. `Failed` — wrong code, attempts remaining. `Expired or Not Found` — nothing to check. On `Approved`/`Declined` the `request_id` equals the send's `request_id` (the session id) and `phone` carries the full report (`carrier`, `is_virtual`, `is_disposable`, `warnings`, `lifecycle`, `matches`); on `Failed` and `Expired or Not Found` the `request_id` is a one-off random UUID.

**Risk actions.** `duplicated_phone_number_action`, `disposable_number_action`, and `voip_number_action` decide what happens when the corresponding risk is detected on a correct code: `DECLINE` flips the final status to `Declined`; `NO_ACTION` (default) records the risk in `phone.warnings` without affecting the status.

**Billing.** Checks are free — delivery is billed on the send side (see [Phone Verification Pricing](/getting-started/phone-verification-pricing)).

**Session persistence.** A finalized check updates the session created by the send (visible in the Business Console, queryable via `GET /v3/session/{sessionId}/decision/`) and fires a `status.updated` webhook.

**Sandbox.** Sandbox API keys skip all processing: code `123456` returns a static `Approved` payload with a simplified flat `phone` object (`status`, `phone_number`, `country_code`, `carrier_name`, `line_type`, `flags`); any other code returns `Failed`. Nothing is persisted.

**Authentication.** Send your application's API key in the `x-api-key` header. Missing or invalid credentials return `403` (`{"detail": "You do not have permission to perform this action."}`) — this API never returns `401`.

**Rate limits.** Shared write budget of 300 requests/min per API key, plus the upstream anti-abuse cap of 4 attempts per number per hour; exceeding either returns `429`.



## OpenAPI

````yaml POST /v3/phone/check/
openapi: 3.0.0
info:
  version: 3.0.0
  title: Didit Verification API
  description: Identity verification API. Authenticate with x-api-key header.
servers:
  - url: https://verification.didit.me
security: []
tags: []
paths:
  /v3/phone/check/:
    post:
      tags:
        - Standalone APIs
      summary: Check Phone Code
      description: >-
        Verify the OTP delivered by [`POST
        /v3/phone/send/`](/standalone-apis/phone-send) and get the final
        verification result plus phone intelligence: carrier name and line type,
        virtual (VoIP) and disposable flags, and duplicate usage of the number
        across your sessions.


        **How the check finds the verification.** Matching is by your
        application plus the E.164 `phone_number` — `request_id` is not an
        input. The most recent pending verification created within the last **5
        minutes** is checked. If there is none (never sent, already finalized,
        or older than 5 minutes) the endpoint returns `200` with `status:
        "Expired or Not Found"`.


        **Attempt budget.** Each verification allows **3 code attempts**. The
        first two wrong codes return `status: "Failed"` with the attempts
        remaining and `phone: null`; the third wrong code finalizes the
        verification as `Declined` with a `VERIFICATION_CODE_ATTEMPTS_EXCEEDED`
        warning and returns the full phone report.


        **Outcomes.** `Approved` — correct code and no declining risk.
        `Declined` — terminal: the code was correct but a declining risk matched
        (a `DECLINE` action below, a blocklisted or high-risk number), or the
        attempt budget was exhausted. `Failed` — wrong code, attempts remaining.
        `Expired or Not Found` — nothing to check. On `Approved`/`Declined` the
        `request_id` equals the send's `request_id` (the session id) and `phone`
        carries the full report (`carrier`, `is_virtual`, `is_disposable`,
        `warnings`, `lifecycle`, `matches`); on `Failed` and `Expired or Not
        Found` the `request_id` is a one-off random UUID.


        **Risk actions.** `duplicated_phone_number_action`,
        `disposable_number_action`, and `voip_number_action` decide what happens
        when the corresponding risk is detected on a correct code: `DECLINE`
        flips the final status to `Declined`; `NO_ACTION` (default) records the
        risk in `phone.warnings` without affecting the status.


        **Billing.** Checks are free — delivery is billed on the send side (see
        [Phone Verification
        Pricing](/getting-started/phone-verification-pricing)).


        **Session persistence.** A finalized check updates the session created
        by the send (visible in the Business Console, queryable via `GET
        /v3/session/{sessionId}/decision/`) and fires a `status.updated`
        webhook.


        **Sandbox.** Sandbox API keys skip all processing: code `123456` returns
        a static `Approved` payload with a simplified flat `phone` object
        (`status`, `phone_number`, `country_code`, `carrier_name`, `line_type`,
        `flags`); any other code returns `Failed`. Nothing is persisted.


        **Authentication.** Send your application's API key in the `x-api-key`
        header. Missing or invalid credentials return `403` (`{"detail": "You do
        not have permission to perform this action."}`) — this API never returns
        `401`.


        **Rate limits.** Shared write budget of 300 requests/min per API key,
        plus the upstream anti-abuse cap of 4 attempts per number per hour;
        exceeding either returns `429`.
      operationId: post_v3phone_check
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                phone_number:
                  type: string
                  maxLength: 20
                  description: >-
                    The same phone number used in the matching [`POST
                    /v3/phone/send/`](/standalone-apis/phone-send) call, in
                    E.164 format. This is what links the check to the send.
                  example: '+14155552671'
                code:
                  type: string
                  minLength: 4
                  maxLength: 8
                  pattern: ^[0-9]{4,8}$
                  description: >-
                    The OTP the end user received. Must be 4–8 numeric digits —
                    anything else returns `400` without consuming an attempt. A
                    well-formed but wrong code returns `200` with `status:
                    "Failed"` and consumes one of the 3 attempts.
                  example: '123456'
                duplicated_phone_number_action:
                  type: string
                  enum:
                    - NO_ACTION
                    - DECLINE
                  default: NO_ACTION
                  description: >-
                    What to do when the same number was already used by a
                    different user (different `vendor_data`) of your
                    application. `DECLINE` flips the final `status` to
                    `Declined`; `NO_ACTION` records the risk in `phone.warnings`
                    and fills `phone.matches`.
                disposable_number_action:
                  type: string
                  enum:
                    - NO_ACTION
                    - DECLINE
                  default: NO_ACTION
                  description: >-
                    What to do when the carrier lookup flags the number as a
                    temporary/burner line (`phone.is_disposable`). `DECLINE`
                    flips the final `status` to `Declined`; `NO_ACTION` records
                    the risk in `phone.warnings`.
                voip_number_action:
                  type: string
                  enum:
                    - NO_ACTION
                    - DECLINE
                  default: NO_ACTION
                  description: >-
                    What to do when the carrier lookup reports a virtual line
                    type — `voip`, `isp`, or `vpn` (`phone.is_virtual`).
                    `DECLINE` flips the final `status` to `Declined`;
                    `NO_ACTION` records the risk in `phone.warnings`.
              required:
                - phone_number
                - code
            examples:
              Default:
                summary: Record any risks but never auto-decline
                value:
                  phone_number: '+14155552671'
                  code: '123456'
              Strict risk policy:
                summary: Auto-decline VoIP and disposable lines
                value:
                  phone_number: '+14155552671'
                  code: '123456'
                  voip_number_action: DECLINE
                  disposable_number_action: DECLINE
      responses:
        '200':
          description: >-
            Check completed — wrong codes and missing verifications also return
            `200`; inspect `status`, not the HTTP code. `phone` is populated
            only on finalized outcomes (`Approved`/`Declined`), `null` on
            `Failed`, and absent on `Expired or Not Found`.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PhoneVerificationCheckResponse'
              examples:
                Approved:
                  summary: >-
                    Correct code — full phone report with carrier, lifecycle,
                    and matches
                  value:
                    request_id: e39cb057-92fc-4b59-b84e-02fec29a0f24
                    status: Approved
                    message: The verification code is correct.
                    phone:
                      status: Approved
                      phone_number_prefix: '+1'
                      phone_number: '4155552671'
                      full_number: '+14155552671'
                      country_code: US
                      country_name: United States
                      carrier:
                        name: AT&T
                        type: mobile
                      is_disposable: false
                      is_virtual: false
                      verification_method: whatsapp
                      verification_attempts: 1
                      verified_at: '2026-06-12T01:24:47.311323Z'
                      warnings: []
                      lifecycle:
                        - type: PHONE_VERIFICATION_MESSAGE_SENT
                          timestamp: '2026-06-12T01:23:39.580554+00:00'
                          details:
                            status: Success
                            reason: null
                            channel: whatsapp
                            actual_channel: whatsapp
                          fee: 0.0709
                        - type: PHONE_DELIVERY_DELIVERED
                          timestamp: '2026-06-12T01:23:43.118220+00:00'
                          details:
                            channel: whatsapp
                            status: delivered
                          fee: 0
                        - type: VALID_CODE_ENTERED
                          timestamp: '2026-06-12T01:24:47.311201+00:00'
                          details:
                            code_tried: '123456'
                            status: Approved
                          fee: 0
                        - type: PHONE_VERIFICATION_APPROVED
                          timestamp: '2026-06-12T01:24:47.384292+00:00'
                          details: null
                          fee: 0
                      matches: []
                    vendor_data: user-1234
                    metadata: null
                    created_at: '2026-06-12T01:24:47.401719+00:00'
                Failed (attempts remaining):
                  summary: >-
                    Wrong code — the user can retry; request_id here is a
                    one-off UUID
                  value:
                    request_id: 11111111-2222-3333-4444-555555555555
                    status: Failed
                    message: 'The verification code is incorrect. Attempts remaining: 2'
                    phone: null
                    vendor_data: user-1234
                    metadata: null
                    created_at: '2026-06-12T01:24:21.512340+00:00'
                Declined (max attempts):
                  summary: Third wrong code — verification finalized as Declined
                  value:
                    request_id: e39cb057-92fc-4b59-b84e-02fec29a0f24
                    status: Declined
                    message: >-
                      The verification code is incorrect. Maximum attempts
                      reached.
                    phone:
                      status: Declined
                      phone_number_prefix: '+1'
                      phone_number: '4155552671'
                      full_number: '+14155552671'
                      country_code: US
                      country_name: United States
                      carrier:
                        name: AT&T
                        type: mobile
                      is_disposable: false
                      is_virtual: false
                      verification_method: whatsapp
                      verification_attempts: 1
                      verified_at: null
                      warnings:
                        - feature: PHONE
                          risk: VERIFICATION_CODE_ATTEMPTS_EXCEEDED
                          additional_data: null
                          log_type: error
                          short_description: Verification code attempts exceeded
                          long_description: >-
                            The system detected that the phone number has
                            exceeded the maximum number of verification code
                            attempts.
                      lifecycle:
                        - type: PHONE_VERIFICATION_MESSAGE_SENT
                          timestamp: '2026-06-12T01:23:39.580554+00:00'
                          details:
                            status: Success
                            reason: null
                            channel: whatsapp
                            actual_channel: whatsapp
                          fee: 0.0709
                        - type: INVALID_CODE_ENTERED
                          timestamp: '2026-06-12T01:24:01.118220+00:00'
                          details:
                            code_tried: '111111'
                            status: Failed
                          fee: 0
                        - type: INVALID_CODE_ENTERED
                          timestamp: '2026-06-12T01:24:21.512340+00:00'
                          details:
                            code_tried: '222222'
                            status: Failed
                          fee: 0
                        - type: INVALID_CODE_ENTERED
                          timestamp: '2026-06-12T01:24:47.311201+00:00'
                          details:
                            code_tried: '333333'
                            status: Failed
                          fee: 0
                        - type: PHONE_VERIFICATION_DECLINED
                          timestamp: '2026-06-12T01:24:47.384292+00:00'
                          details:
                            reason: VERIFICATION_CODE_ATTEMPTS_EXCEEDED
                          fee: 0
                      matches: []
                    vendor_data: user-1234
                    metadata: null
                    created_at: '2026-06-12T01:24:47.401719+00:00'
                Declined (risk policy):
                  summary: >-
                    Correct code, but the line is VoIP and
                    voip_number_action=DECLINE
                  value:
                    request_id: 7f1c9d2e-44a1-4b6e-9a3e-5b8e6f1c2d3a
                    status: Declined
                    message: The verification code is correct.
                    phone:
                      status: Declined
                      phone_number_prefix: '+1'
                      phone_number: '5005550006'
                      full_number: '+15005550006'
                      country_code: US
                      country_name: United States
                      carrier:
                        name: CLEC LLC
                        type: voip
                      is_disposable: false
                      is_virtual: true
                      verification_method: sms
                      verification_attempts: 1
                      verified_at: '2026-06-12T01:24:47.311323Z'
                      warnings:
                        - feature: PHONE
                          risk: VOIP_NUMBER_DETECTED
                          additional_data: null
                          log_type: error
                          short_description: VoIP number detected
                          long_description: >-
                            The system detected that the phone number is a VoIP
                            number, which is not allowed.
                      lifecycle:
                        - type: PHONE_VERIFICATION_MESSAGE_SENT
                          timestamp: '2026-06-12T01:23:39.580554+00:00'
                          details:
                            status: Success
                            reason: null
                            channel: whatsapp
                            actual_channel: sms
                          fee: 0.0709
                        - type: VALID_CODE_ENTERED
                          timestamp: '2026-06-12T01:24:47.311201+00:00'
                          details:
                            code_tried: '123456'
                            status: Approved
                          fee: 0
                        - type: PHONE_VERIFICATION_DECLINED
                          timestamp: '2026-06-12T01:24:47.384292+00:00'
                          details:
                            reason: VOIP_NUMBER_DETECTED
                          fee: 0
                      matches: []
                    vendor_data: user-1234
                    metadata: null
                    created_at: '2026-06-12T01:24:47.401719+00:00'
                Expired or Not Found:
                  summary: >-
                    No pending verification for this number in the last 5
                    minutes
                  value:
                    request_id: 69cc35c6-280a-47a6-ab8c-4f32abc02ed0
                    status: Expired or Not Found
                    message: No pending phone verification found in the last 5 minutes.
                    vendor_data: null
                    metadata: null
                    created_at: '2026-06-12T01:24:47.311323+00:00'
        '400':
          description: >-
            Validation error — DRF's field-error envelope: one array of messages
            per offending field.
          content:
            application/json:
              examples:
                Invalid code format:
                  summary: '`code` is not 4–8 numeric digits'
                  value:
                    code:
                      - Invalid code format. Enter 4 to 8 numeric digits.
                Invalid phone number:
                  summary: '`phone_number` is not valid E.164'
                  value:
                    phone_number:
                      - Invalid phone number provided.
                Invalid action:
                  summary: Risk actions accept only NO_ACTION or DECLINE
                  value:
                    voip_number_action:
                      - '"REVIEW" is not a valid choice.'
        '403':
          description: >-
            Permission denied. Returned when the `x-api-key` header is missing,
            malformed, revoked, or belongs to another environment — this API
            never returns `401`. Checks are free, so there is no credit check
            here.
          content:
            application/json:
              examples:
                Missing or invalid API key:
                  summary: No `x-api-key` header, or the key is invalid/revoked
                  value:
                    detail: You do not have permission to perform this action.
        '429':
          description: >-
            Rate limit exceeded. All POST/PATCH/DELETE endpoints share a budget
            of 300 write requests per minute per API key. Additionally, an
            anti-abuse cap of 4 verification attempts per phone number per hour
            applies upstream. The response carries `X-RateLimit-Limit`,
            `X-RateLimit-Remaining`, `X-RateLimit-Reset`, and `Retry-After`
            headers. Note: the `X-RateLimit-*`/`Retry-After` headers accompany
            only the 300/min write-limit 429; the per-number cap 429 carries no
            rate-limit headers.
          content:
            application/json:
              examples:
                Per-number cap:
                  summary: >-
                    More than 4 verification attempts for the same number in the
                    last hour
                  value:
                    detail: >-
                      Maximum verification attempts reached for this phone
                      number. Only 4 authentication attempts are allowed per
                      hour. Try again later or use a different number.
                Write rate limit exceeded:
                  summary: More than 300 write requests in the current minute
                  value:
                    detail: >-
                      Write request rate limit exceeded. You can make up to 300
                      requests per minute.
              schema:
                type: object
                properties:
                  detail:
                    type: string
        '500':
          description: >-
            Unexpected failure while verifying the code upstream. Safe to retry;
            the attempt budget is only consumed by completed checks.
          content:
            application/json:
              examples:
                Provider error:
                  summary: Code verification could not be completed
                  value:
                    detail: Error checking phone verification
              schema:
                type: object
                properties:
                  detail:
                    type: string
      security:
        - ApiKeyAuth: []
      x-codeSamples:
        - lang: curl
          label: curl
          source: |-
            curl -X POST https://verification.didit.me/v3/phone/check/ \
              -H 'x-api-key: YOUR_API_KEY' \
              -H 'Content-Type: application/json' \
              -d '{
                "phone_number": "+14155552671",
                "code": "123456",
                "voip_number_action": "DECLINE"
              }'
        - lang: python
          label: Python
          source: >-
            import os, requests


            resp = requests.post(
                "https://verification.didit.me/v3/phone/check/",
                headers={
                    "x-api-key": os.environ["DIDIT_API_KEY"],
                    "Content-Type": "application/json",
                },
                json={
                    "phone_number": "+14155552671",  # same number as the send call
                    "code": "123456",
                    "voip_number_action": "DECLINE",
                },
                timeout=15,
            )

            resp.raise_for_status()

            result = resp.json()

            print(result["status"])  # Approved / Declined / Failed / Expired or
            Not Found

            if result["status"] in ("Approved", "Declined"):
                print(result["phone"]["carrier"], result["phone"]["is_virtual"])
        - lang: javascript
          label: JavaScript
          source: >-
            const res = await
            fetch('https://verification.didit.me/v3/phone/check/', {
              method: 'POST',
              headers: {
                'x-api-key': 'YOUR_API_KEY',
                'Content-Type': 'application/json',
              },
              body: JSON.stringify({
                phone_number: '+14155552671', // same number as the send call
                code: '123456',
                voip_number_action: 'DECLINE',
              }),
            });

            const data = await res.json();

            if (data.status === 'Approved') {
              // full phone report is in data.phone (carrier, is_virtual, matches, ...)
            }
components:
  schemas:
    PhoneVerificationCheckResponse:
      type: object
      properties:
        request_id:
          type: string
          format: uuid
          description: >-
            On `Approved`/`Declined`: the session id of the matched verification
            — identical to the `request_id` returned by `POST /v3/phone/send/`.
            On `Failed` and `Expired or Not Found`: a random one-off UUID that
            cannot be looked up later.
        status:
          type: string
          enum:
            - Approved
            - Declined
            - Failed
            - Expired or Not Found
          description: >-
            `Approved` — correct code, no declining risk. `Declined` — terminal:
            a declining risk matched or the attempt budget (3) was exhausted.
            `Failed` — wrong code, attempts remaining. `Expired or Not Found` —
            no pending verification for this number in the last 5 minutes.
        message:
          type: string
          description: >-
            Human-readable explanation of the outcome, including the number of
            attempts remaining after a wrong code.
        phone:
          type: object
          nullable: true
          description: >-
            Full phone report. Present (non-null) only on finalized outcomes
            (`Approved`/`Declined`); `null` on `Failed` and absent on `Expired
            or Not Found`.
          properties:
            status:
              type: string
              enum:
                - Approved
                - Declined
                - In Review
                - Not Finished
                - Expired
              description: >-
                Final status of the phone verification. Matches the top-level
                `status` for finalized checks.
            phone_number_prefix:
              type: string
              description: Country calling code with leading `+` (e.g., `+1`).
              example: '+1'
            phone_number:
              type: string
              description: National number without the country calling code.
              example: '4155552671'
            full_number:
              type: string
              description: Complete number in E.164 format.
              example: '+14155552671'
            country_code:
              type: string
              nullable: true
              description: ISO 3166-1 alpha-2 country of the number.
              example: US
            country_name:
              type: string
              description: Full country name derived from `country_code`.
              example: United States
            carrier:
              type: object
              description: >-
                Current network serving the number, from the carrier lookup run
                at finalization.
              properties:
                name:
                  type: string
                  description: >-
                    Carrier name. Empty string when the lookup could not
                    identify it.
                type:
                  type: string
                  description: >-
                    Line type reported by the lookup: `mobile`, `fixed_line`,
                    `voip`, `isp`, `vpn`, `toll_free`, `premium_rate`, `pager`,
                    `payphone`, `satellite`, `service`, `shared_cost`,
                    `short_codes_commercial`, `calling_cards`, `local_rate`,
                    `universal_access`, `voice_mail`, `other`, or `unknown`.
            is_disposable:
              type: boolean
              description: >-
                `true` when the number belongs to a temporary/burner number
                service.
            is_virtual:
              type: boolean
              description: '`true` when the line type is virtual (`voip`, `isp`, or `vpn`).'
            verification_method:
              type: string
              description: >-
                Channel that actually delivered the OTP once delivery is
                confirmed (e.g., `whatsapp`, `sms`); until then, the requested
                channel.
            verification_attempts:
              type: integer
              description: >-
                Number of OTP sends for this verification (1, or 2 after a
                retry).
            verified_at:
              type: string
              format: date-time
              nullable: true
              description: >-
                When the correct code was entered. `null` if the verification
                was never approved.
            warnings:
              type: array
              description: >-
                Risk warnings recorded during the verification (duplicate,
                disposable, VoIP, attempts exceeded, blocklist, etc.). Empty
                array when there are none.
              items:
                type: object
                properties:
                  feature:
                    type: string
                    description: Feature that produced the warning. Always `PHONE` here.
                  risk:
                    type: string
                    description: Machine-readable risk code.
                  additional_data:
                    type: object
                    nullable: true
                    description: >-
                      Risk-specific context (e.g., the duplicated session id for
                      duplicate risks). `null` when the risk carries no extra
                      data.
                  log_type:
                    type: string
                    enum:
                      - error
                      - warning
                      - information
                    description: >-
                      Severity. `error` risks decline the verification,
                      `warning` flags it for review, `information` is recorded
                      without affecting the status.
                  short_description:
                    type: string
                    description: Human-readable one-line summary of the risk.
                  long_description:
                    type: string
                    description: Human-readable explanation of the risk.
            lifecycle:
              type: array
              description: >-
                Chronological audit trail of the verification. Event `type` is
                one of `PHONE_VERIFICATION_MESSAGE_SENT`,
                `PHONE_VERIFICATION_RETRY_MESSAGE_SENT`,
                `PHONE_VERIFICATION_BLOCKED`, `PHONE_DELIVERY_DELIVERED`,
                `PHONE_DELIVERY_UNDELIVERABLE`, `VALID_CODE_ENTERED`,
                `INVALID_CODE_ENTERED`, `PHONE_VERIFICATION_APPROVED`,
                `PHONE_VERIFICATION_DECLINED`, `PHONE_VERIFICATION_IN_REVIEW`,
                `PHONE_VERIFICATION_EXPIRED`.
              items:
                type: object
                properties:
                  type:
                    type: string
                    description: Event type.
                  timestamp:
                    type: string
                    format: date-time
                    description: When the event happened.
                  details:
                    type: object
                    nullable: true
                    description: >-
                      Event-specific payload. Send events: `{status, reason,
                      channel, actual_channel}` (`actual_channel` is filled once
                      delivery is confirmed). Delivery events: `{channel,
                      status}`. Code-entry events: `{code_tried, status}`.
                      Final-status events: `null`, or `{reason}` when declined
                      or in review.
                  fee:
                    type: number
                    description: >-
                      USD amount billed for this event. Non-zero only on send
                      events (the delivery price); 0 for code entries, delivery
                      confirmations, and status events.
            matches:
              type: array
              description: >-
                Other sessions of your application (KYC, KYB, or API) where the
                same phone number was used by a different user (different
                `vendor_data`). Up to 5 entries, a synthetic list-entry
                blocklist match first when present (session-derived matches keep
                query order). Empty array when there are no matches.
              items:
                type: object
                properties:
                  session_id:
                    type: string
                    format: uuid
                    description: >-
                      Session id of the other verification that used this phone
                      number.
                  session_number:
                    type: integer
                    description: Human-friendly sequential number of that session.
                  vendor_data:
                    type: string
                    nullable: true
                    description: '`vendor_data` of that session.'
                  verification_date:
                    type: string
                    description: When that session was created (`YYYY-MM-DDTHH:MM:SSZ`).
                  phone_number:
                    type: string
                    description: The matched phone number.
                  status:
                    type: string
                    description: >-
                      Status of that session (e.g., `Approved`, `Declined`, `In
                      Progress`).
                  is_blocklisted:
                    type: boolean
                    description: >-
                      Whether the phone number is on your application's
                      blocklist.
                  api_service:
                    type: string
                    nullable: true
                    description: >-
                      For API-type sessions, the standalone API that created it
                      (e.g., `PHONE_VERIFICATION`); `null` for regular
                      verification sessions.
                  source:
                    type: string
                    description: >-
                      Where the match was found. Usually `session`; a blocklist
                      hit via an organization list entry prepends a synthetic
                      match with `source: "list_entry"` and null
                      `session_id`/`session_number`.
        vendor_data:
          type: string
          nullable: true
          description: >-
            `vendor_data` of the matched verification's session. `null` on
            `Expired or Not Found`.
        metadata:
          type: object
          nullable: true
          description: >-
            `metadata` of the matched verification's session. `null` on `Expired
            or Not Found`.
        created_at:
          type: string
          format: date-time
          description: Timestamp of this check response.
  securitySchemes:
    ApiKeyAuth:
      type: apiKey
      in: header
      name: x-api-key

````