Back to Blog
Phone Validation API Guide: Endpoints, Response Fields, and Best Practices
Tutorial
May 29, 2026
9 min

Phone Validation API Guide: Endpoints, Response Fields, and Best Practices

PT

PilotLookup Team

Author

1. What a Phone Validation API Does Under the Hood

A phone validation API accepts a phone number as input, queries carrier databases to determine whether the number is active, who currently carries it, and what type of line it is, then returns that data as structured JSON. For US numbers, the best APIs query the Number Portability Administration Center (NPAC) — the national database that tracks carrier assignments after number porting — updated daily. The result is a response that reflects the current state of the number, not just its original assignment.

The query happens in milliseconds. Edge-hosted infrastructure resolves the carrier database lookup and returns a structured response within approximately 100ms in most cases. That's fast enough to call synchronously in a user-facing signup or checkout flow without any noticeable impact on perceived performance.

This guide covers the complete technical interface for the PilotLookup phone validation API: how to authenticate, how to format requests, what every field in the response means, how to handle errors, and what patterns separate a working integration from a production-ready one.

2. Authentication

The PilotLookup API uses Bearer token authentication. Your API key is included in the Authorization header on every request.

Authorization: Bearer YOUR_API_KEY

API keys are generated and managed from your dashboard at pilotlookup.net/dashboard/api-keys. Follow these practices for every environment:

  • Store the key in an environment variable (e.g. PILOTLOOKUP_API_KEY), never hardcoded in source code or checked into a repository
  • Rotate the key immediately if it is ever committed to version control or exposed in logs
  • Use separate keys for development and production environments
  • Never expose the API key in client-side JavaScript — all calls must originate from your server

3. The Endpoint

GET https://www.pilotlookup.net/api/validate

The API uses a single GET endpoint. The phone number is passed as a query parameter. There is no POST body. The response is always JSON with a Content-Type: application/json header. Every successful request returns HTTP 200 with the validation result in the body.

4. Request Parameters

Parameter Type Required Description
phone string Yes The US phone number to validate. Accepts 10-digit format (2032145454), E.164 without the plus (12032145454), or full E.164 (+12032145454). Non-digit characters are stripped automatically.

The API is tolerant of common formatting variations — dashes, spaces, parentheses, and dots are all stripped before processing. However, running your own normalization before submitting is best practice: strip non-digits, handle the optional leading 1, and verify NANP rules before calling the API. This reduces the chance of edge-case formatting triggering a 400 error and ensures consistent input regardless of how users enter their number.

Example requests:

# cURL
curl 'https://www.pilotlookup.net/api/validate?phone=2032145454' \
  -H 'Authorization: Bearer YOUR_API_KEY'
 
# With formatting characters (auto-stripped)
curl 'https://www.pilotlookup.net/api/validate?phone=(203)%20214-5454' \
  -H 'Authorization: Bearer YOUR_API_KEY'

5. Response Fields: Complete Reference

A successful response returns HTTP 200 with the following JSON structure:

{
  "phone":     "+12032145454",
  "valid":     true,
  "carrier":   "T-Mobile",
  "line_type": "mobile",
  "city":      "Bridgeport",
  "state":     "CT"
}
Field Type Always present? Description
phone string Yes The normalized E.164 representation of the submitted number (+1XXXXXXXXXX). Store this value rather than the raw user input.
valid boolean Yes true if the number is assigned to an active subscriber at a recognized US carrier. false if the number is unassigned, disconnected, or not a valid US number.
carrier string When valid The name of the carrier currently holding the number, accounting for number portability. Examples: AT&T, Verizon, T-Mobile, Google Voice, Twilio. May be null when valid is false.
line_type string When valid The type of line. Possible values: mobile, landline, voip, toll-free, unknown. The value unknown is returned when the line type cannot be determined from available carrier data.
city string When valid The city associated with the NPA-NXX assignment. Reflects the original geographic assignment of the number range, not the subscriber's current location. Ported numbers may show a city that no longer matches the subscriber's actual location.
state string When valid Two-letter US state code associated with the NPA-NXX assignment. Same geographic caveat as city.

line_type values: what they mean for your logic

Value Can receive SMS? Fraud risk Recommended action
mobile Yes Low Proceed normally
landline No Low Warn user; offer alternative verification method
voip Yes Elevated Flag for review; require additional verification
toll-free No High (user error or abuse) Reject or flag at entry
unknown Uncertain Unclear Treat as lower-confidence mobile; log for review

6. Error Codes and Handling

HTTP status Meaning Recommended action
200 Success — response body contains validation result Process the JSON response normally
400 Bad request — missing or malformed phone parameter Fix input validation upstream; do not retry with the same input
401 Unauthorized — missing or invalid API key Check key is present and correctly formatted; do not retry
402 Payment required — insufficient credits Purchase additional credits; alert your ops or engineering team
429 Rate limit exceeded Back off and retry with exponential delay; reduce concurrency in bulk jobs
500 Server error Retry after a short delay; implement fallback if persistent
503 Service unavailable Check the status page; activate your fallback logic

7. Production Best Practices

Always run format validation before the API call

Strip non-digits, check that the result is 10 digits (or 11 with a leading 1), and verify basic NANP rules (first digit of NPA and NXX must be 2–9) before calling the API. This catches 5–15% of invalid submissions for free, reducing credit consumption and protecting you from submitting garbage input that triggers a 400 error.

Set a request timeout

Always set a timeout on your API calls — 5 seconds is a reasonable upper bound for a real-time use case. Without a timeout, a slow API response can hang your request handler indefinitely. In most HTTP clients this is a one-liner: timeout: 5000 in Node.js fetch, timeout=5 in Python requests, CURLOPT_TIMEOUT: 5 in PHP cURL.

Cache results by normalized number

Carrier data for a given number changes slowly — typically only when the subscriber ports. Caching results keyed by the normalized E.164 number with a TTL of 24 hours is safe and can significantly reduce credit consumption for high-repeat-submission scenarios, such as the same user attempting signup multiple times or a shared office phone number being submitted by multiple people.

Build a graceful fallback

When the API is unavailable (503) or your credits are exhausted (402), decide in advance whether to fail open or fail closed. For most consumer signup flows, failing open with elevated risk flags logged is better than blocking all signups. For high-security flows in financial or healthcare contexts, failing closed and surfacing a clear error message to users is preferable. Either way, the decision should be made before the incident, not during it.

Store the enriched data, not just valid or invalid

Store carrier, line_type, state, and validated_at alongside the phone number in your database. This data becomes useful later for campaign segmentation, fraud investigation, and re-validation without additional API calls. It also makes compliance audits easier — you can show exactly when a number was validated and what its status was at the time.

8. Common Integration Patterns

Pattern 1: Synchronous signup gate

Call the API server-side when the signup form is submitted, before creating the user record. Return a 422 to the client if valid is false, with a user-friendly error message. Proceed with enriched data — carrier, line_type, state — stored on the user record if valid. This is the simplest pattern and the right default for most SaaS products.

Pattern 2: Asynchronous enrichment

Accept the phone number at signup without blocking on validation. Queue a background job to call the validation API and write results back to the user record. Use a webhook or event to trigger risk scoring logic once validation completes. Suitable for lower-risk flows where you want zero latency impact on signup and can tolerate a short window where the number hasn't been validated yet.

Pattern 3: Bulk hygiene job

Query all phone records in your database where validated_at IS NULL or validated_at < NOW() - INTERVAL '90 days'. Process in batches of 100–500 with controlled concurrency — 10 concurrent requests is a safe default. Write results back to the database. Schedule to run during off-peak hours to avoid interfering with production traffic.

Ready to Integrate?

Get your API key, run 10 free lookups, and have a working integration before end of day.

Get Your API Key →

API Docs · support@pilotlookup.net · 1-888-370-6801

phone validation api api reference endpoints response fields error handling rest api developer guide carrier lookup best practices
Tags:
phone validation api
api reference
endpoints
response fields
error handling
rest api
developer guide
carrier lookup
best practices