OTP SMS API

Send OTP Codes via SMS
in Under 3 Seconds

Deliver one-time passwords to users in 190+ countries. Simple REST API, direct carrier routes, under 200ms API response time. No SDK required.

Get API Access Free API Documentation

MyApp

Just now

✓ Delivered

Your MyApp verification code is: 847392. Valid for 10 minutes. Do not share this code.

How OTP SMS Works

Five simple steps from login attempt to verification.

User Initiates Login or Action

User enters their phone number and attempts to log in or confirm a sensitive action (payment, password change, etc.).

Server Generates Secure Code

Your backend generates a random 6-8 digit code using cryptographically secure randomness and stores it server-side (Redis or database) with a 5–10 minute expiry.

SMSPM Delivers SMS

Your app calls SMSPM's API with the phone number and code. SMSPM routes the message through direct carrier connections and delivers it in under 3 seconds.

User Receives & Enters Code

Message arrives on user's phone instantly. User reads it and enters the 6-digit code into your app (typically in an input field that auto-focuses).

Server Validates & Grants Access

Your backend compares the user-submitted code with the stored code. If they match and not expired, delete the code and grant access. If failed, reject and allow retry (with rate limiting).

Validate Phone Numbers Before Sending OTP

Before you send an OTP SMS, make sure the phone number is valid and formatted correctly. Invalid numbers waste credits, annoy users, and generate failed delivery reports.

Validate format: Accept E.164 format (+37256789045) to ensure international compatibility
Reject obviously bad numbers: Filter out numbers with too few digits, non-numeric characters, or blocked country codes
Rate limit per phone: Allow only 3–5 OTP requests per phone number per hour to prevent abuse
Strip common formatting: Convert +1 (234) 567-8901 → +12345678901 before sending

Use Our Phone Formatter Tool →

❌ Invalid formats:

1234567890 (no country code)

+1-234-567-8901 (dashes and special chars)

+1 234 567 8901 (spaces)

0234567890 (leading zero, not E.164)

✅ Valid format (E.164):

+12345678901

+37256789045

+86-10-1234-5678 → +861012345678

Send OTP in 10 Lines of Code

SMSPM's API works with any language. Below is a complete OTP send with a cryptographically secure code. Swap the credentials and go.

No SDK or library required
Works from any backend (Node, Python, PHP, Go...)
Delivery confirmation via webhook
190+ countries, one endpoint

Full OTP implementation guide →

JavaScript — send-otp.js

import { randomInt } from 'crypto';

// 1. Generate a secure 6-digit OTP
const code = String(randomInt(100000, 999999));

// 2. Store it server-side with expiry
await redis.set(`otp:${phone}`, code, { EX: 600 });

// 3. Send via SMSPM
const params = new URLSearchParams({
  hash:       process.env.SMSPM_HASH,
  token:      process.env.SMSPM_TOKEN,
  toNumber:   phone,         // +37256789045
  fromNumber: 'MyApp',
  text:       `Your code: ${code}. Valid 10 min.`
});

const { status } = await fetch(
  `https://api.smspm.com?${params}`
).then(r => r.json());

// status === 'success' means API accepted
// Use DLR webhook to confirm delivery

Everything You Need for Production OTP

Beyond just sending — a complete delivery infrastructure.

⚡

Sub-200ms API Response

The API accepts your send request and returns a message ID in under 200ms. Delivery to handset is typically under 3 seconds.

🌍

190+ Countries

Direct carrier routes to 190+ countries. One API call handles routing — no need to manage per-country providers.

📊

Delivery Reports

Receive webhook callbacks when messages are delivered, failed, or expire. Know exactly which OTPs reached the handset.

🔒

No Shared Queues

Your OTP traffic is not mixed with low-priority bulk SMS queues. Transactional messages get priority routing.

💰

Pay Per SMS

No monthly fee, no minimum. Credits never expire. Most EU OTP sends cost under €0.05 per message.

📖

Full Docs & Examples

Code examples in JavaScript, Python, PHP, cURL. Integration guide with rate limiting, retry logic, and Redis patterns.

SMS OTP Security: Vulnerabilities & Best Practices

SMS OTP is convenient but not bulletproof. Here's what you need to know.

⚠️ Known Vulnerabilities

SIM Swapping: Attackers convince telecom to port your phone to their SIM, intercepting SMS codes. Targets: high-value accounts, celebrities.
Interception on Roaming: International roaming can route SMS through unfamiliar networks; risk of man-in-the-middle (though rare).
Phishing: Users can be tricked into entering OTP codes on fake login pages that record them.
Network-Based Attacks: 2G networks (GSM) are vulnerable to IMSI catchers in some regions. Modern 4G/5G is more secure.
Slow Delivery: Network congestion can delay SMS; codes expire while in transit, forcing re-sends.

✅ Best Practices to Mitigate Risk

Always use SMS + secondary method: Email confirmation, security questions, or authenticator app as a fallback.
Rate-limit OTP requests: Block users requesting >5 codes per hour to slow down brute force attacks.
Short expiry (5–10 min): Code must expire quickly; don't store codes in client-side storage.
One-time use: Delete code immediately after successful verification; don't reuse.
Log login attempts: Track and alert users of suspicious login locations or devices.
Consider TOTP for high-risk accounts: Offer authenticator apps (Google Authenticator, Authy) as an alternative to SMS.

Bottom line: SMS OTP is still secure for most use cases (banking, e-commerce, SaaS). It's convenient and user-friendly. But for ultra-high-security scenarios (crypto wallets, admin accounts), recommend TOTP or hardware keys as primary 2FA.

OTP SMS vs TOTP vs Push Authentication

Choose the right 2FA method for your users.

Method	SMS OTP	TOTP (Google Auth, Authy)	Push Notifications
Requires Internet	❌	❌	✅
User Experience	Simple, familiar	Medium (separate app)	One-tap confirm
Recovery if Lost	Backup SMS code	Backup codes only	Backup codes only
Security Level	Medium (SIM swap risk)	High (device-based)	High (real-time approval)
Cost	€0.02–0.10 per OTP	Free (user's device)	Low (in-app push)
Best For	First login, password reset	High-security accounts	Frictionless 2FA
Adoption Rate	90%+ (everyone has SMS)	40-60% (requires setup)	30-50% (requires app)

Recommendation: Use SMS OTP as the default to maximize adoption. Offer TOTP as an optional upgrade for users who want extra security. For critical financial actions (transfers, password changes), require SMS + TOTP.

Frequently Asked Questions

How fast are OTP SMS messages delivered?

SMSPM routes OTP messages through direct carrier connections. Average delivery time is under 3 seconds for online handsets in major markets. Response time from the API is under 200ms.

Can SMSPM send OTP to international numbers?

Yes — SMSPM covers 190+ countries with direct carrier routes. You send to a single API endpoint; SMSPM handles routing to the local carrier automatically.

What sender ID should I use for OTP messages?

For best results, use a short alphanumeric sender like your app or company name (e.g. 'MyApp'). Some countries require a numeric sender ID — check the coverage page for country-specific rules.

How many characters should an OTP SMS be?

Keep your OTP message under 160 characters (GSM-7) to send as a single SMS part. A typical 'Your code is 847392. Valid 10 min.' message is well within one part.

Do I need to store OTP codes server-side?

Yes — always. Never send the code back to the client or store it in browser storage. Keep it server-side (Redis or database) with a short TTL (5–10 minutes) and delete it after a successful verification.

Ready to Send OTP SMS?

Create a free account, get test credits, and have your first OTP sending in under 15 minutes.

Get Started Free See 2FA SMS Guide

Send OTP Codes via SMSin Under 3 Seconds