Skip to main content
The OTP API sends one-time passcodes to a phone number over SMS or voice, and verifies them. It’s transactional — no marketing consent, quiet hours or frequency caps — but still wallet-gated and sender-ID checked. Both endpoints authenticate with the X-Sender-Tenant + X-API-Key headers.

Send a code

Body

phone
string
required
Recipient phone number (max 32). Israeli-local or E.164 is normalised to +972….
channel
string
default:"sms"
sms or voice. Voice speaks the code digit by digit.
message
string
Custom message template (max 320). Use {{code}} where the code should appear.
senderId
string
SMS sender ID / caller ID (max 11). Must be an approved sender ID; defaults to the platform pool.

Response

verificationId
string
Pass this back to /otp/verify.
channel
string
The channel used (sms or voice).
expiresInSeconds
integer
Code lifetime — 300 (5 minutes).
segments
integer
SMS segment count for the message (wallet debit unit).
Send is wallet-gated. If your SMS credit balance is empty it returns 402 Insufficient SMS credits. There’s also a per-phone cap of 5 sends per 10 minutes (429).

Verify a code

Body

verificationId
string
required
The ID returned by /otp/send (max 64).
code
string
required
The code the user entered (max 12).

Response

verified
boolean
true if the code matched and was within the window.
reason
string
Present when verified is false: expired_or_unknown, code_mismatch, or too_many_attempts.
The code is stored only as a hash with a 5-minute TTL and a maximum of 5 verify attempts — it’s never returned or logged.