android - Yii2 + Stateless RESTful API + Mobile App: How to prevent abuse when app offers option to send verification via SMS -

i have built mobile app using angularjs/ionic , website/api using yii2. in app have option users request verification code via sms.

here's app flow:

1. user signs on mobile app
2. api registers user, generates welcome email containing verification code , returns access token; access tokens valid 14 days
3. user can request new code via sms

my api stateless , implements httpbearer , basic auth, , rate limiting. currently, rate limit 75 calls in 10 minutes.

so, here questions:

1. can restrict access api allow calls made mobile app
2. what can done prevent api abuse , sending random phone numbers sms message?
3. how can validate phone number entered belongs user?

---

the problem: if api endpoints discovered , supplied valid credentials, sms messages sent phone number. also, app, person can input phone number , sms attempt delivered number.

i have seen many apps offer sms feature, i'm not sure how best approach it.

i appreciate thoughts on this.

cheers, mike