One-Time Passcodes (OTPs) are a simple and effective way to verify someone's phone number at sign up for ongoing login verification, preventing bots, ensuring deliverability to the right person, and more.
Phone number verification can decrease fraud and increase deliverability and trust. Luckily the Twilio Verify API makes it easy to send and check OTPs. Let's see how to get started with Verify in under 5 minutes.
Prerequisites for sending One-Time Passcodes
Before you can send an OTP you'll need:
- A Twilio account - sign up or sign in
- A Verify Service which you can create in the Twilio console. The Service Name will appear in the SMS body but you can always edit it later.
Copy your Service SID (starts with VA).
Send the SMS OTP
Copy the following code for the Verifications
endpoint and replace the placeholders with:
- Your Verify Service SID created above
- Your phone number for testing
- Your Twilio Account SID and Auth Token (located on the main page of the Console)
# code samples in more languages: twilio.com/docs/verify/api/verification
curl -X POST "https://verify.twilio.com/v2/Services/$VERIFY_SERVICE_SID/Verifications" \
--data-urlencode "To=$YOUR_PHONE_NUMBER" \
--data-urlencode "Channel=sms" \
-u $TWILIO_ACCOUNT_SID:$TWILIO_AUTH_TOKEN
Execute the request and you will receive an SMS OTP.
Check the SMS OTP
Verify makes it easy to both send and check the OTP. Copy the following code for the VerificationCheck
endpoint and replace the placeholders with:
- Your Verify Service SID created above
- The phone number you used in the last step
- The code you received
- Your Twilio Account SID and Auth Token (located on the main page of the Console)
# code samples in more languages: twilio.com/docs/verify/api/verification-check
curl -X POST "https://verify.twilio.com/v2/Services/$VERIFY_SERVICE_SID/VerificationCheck" \
--data-urlencode "To=$YOUR_PHONE_NUMBER" \
--data-urlencode "Code=1234567" \
-u $TWILIO_ACCOUNT_SID:$TWILIO_AUTH_TOKEN
Execute the request; you should see status: "approved"
with the correct OTP. The status will remain "pending" if you provide an incorrect OTP.
It's really that easy!
[Optional] Quick Deploy a Twilio Verify application
Make sure you're logged in to Twilio and head over to Twilio's Code Exchange for the One-Time Passcode verification project and paste in your Verify Service SID:
Next, click "Deploy my application". After a few seconds you should see a button to launch the live application: click that to go to your new Verify application.
Enter your phone number and hit Verify
to test it out -- now you have a sample application to share and play around with!
How to use Verify OTPs in your application
You might have noticed that this doesn't actually protect anything, but if you're like me, you love having code to copy and modify. These examples give you the following building blocks:
- International telephone input (more details in this post)
- Sending an OTP
- Checking an OTP
You could use this as the basis to send and check verifications in your own application. The email channel requires a smidge more setup but all of the instructions are outlined in the documentation.
Learn more about getting started with Verify with the following resources:
- How Verify Fraud Guard protects you from SMS pumping
- How to test the Verify API without getting rate limited
- Migrating from Programmable Messaging to Verify
- Verify API reference documentation
I can't wait to see what you build and secure!