How-To Guide

Send self-hosted OTP from your own SIM

One-time passcodes do not need an expensive verification API. With a self-hosted gateway you generate codes in your own backend and deliver them from your own number — keeping control of both the secret and the channel.

Why self-host your OTP

Verification messages are sensitive: the code is a short-lived secret, and the number it comes from shapes whether users trust it. Routing OTPs through a third-party aggregator means handing both to someone else and paying a premium per message. Generating codes yourself and sending them through your own SIM keeps the secret in your systems, sends from a number your users recognise, and costs only what your mobile plan already charges.

Step 1 — Generate the code

In your backend, create a short random numeric code — six digits is typical. Store a hash of the code (never the plain value) alongside the user identifier, an expiry timestamp a few minutes out, and an attempt counter. Treat the code like a password: it should be single-use and short-lived.

Step 2 — Send it through the gateway

Send the code with a single authenticated POST to the REST API — the recipient's number and a short message such as "Your code is 123456 (valid 5 minutes)." The paired phone delivers it from your own number within seconds. Keep the wording clear and avoid links, which can trip spam filters. Request and response shapes are in the REST API reference.

Step 3 — Verify the entry

When the user submits a code, hash their input and compare it to the stored hash. Reject it if the expiry has passed or the attempt counter is exceeded, and delete the stored code as soon as it succeeds or expires. Rate-limit requests per number so the endpoint cannot be abused to send floods of messages.

Good practices

Short expiry — five minutes or less keeps a leaked code useless quickly.
Cap attempts — lock the code after a handful of wrong guesses.
Throttle sends — limit how often a number can request a new code.
Never log the code — keep it out of application logs and analytics.

Two-way option. Because the code goes from a real number, users can reply if something looks wrong. Route those replies with the inbound webhook guide so support sees them.

Scan to install

Send your first passcode

Install the Android app, pair your phone, and deliver an OTP from your own number.

Read the quickstart → Get it on Google Play

Send from your own SIM · Automated SMS notifications · Self-hosted vs cloud SMS · REST API reference