Node.js

Checking - did the client really activate mail by phone number?

I am developing a secure application on a node.
In fact, nodejs can send any request to mail services (and websites).
Is it legal to make such a password recovery request on the email entered by the user and use this to check if his mail is tied to a phone number?
Are there other ways to do this check? (I did not find an API that provides such an opportunity)
And, on some services (for example, yandex) you need to enter a captcha in order to send a request for recovery. Is it possible to bypass it with another request for a repass link or redirect the image to the user, read the response and return it?
Also, in fact, will there be a conflict with captchas from those services (the same mail) where it is not necessary to enter it initially, but after several attempts it will already be required (maybe the service has some kind of memorization of incoming requests and a subsequent attempt to reflect them, conjectures ..).