SMS OTP

In preview

Send a code by SMS. Check it by recipient.

Get startedRead docs
Set up in:
Cursor

SMS verification sends a one-time code to a phone number and confirms the person typing it back holds the line. Bird generates the code, sends it, enforces per-recipient caps, and checks it by recipient — so there's no id to store and no resend endpoint to wire.

verify.ts
200 · pending
import { BirdClient } from "@messagebird/sdk";

const bird = new BirdClient({ apiKey: process.env.BIRD_API_KEY! });

// Send the code, then check it by recipient.
await bird.verify.verifications.create({
  to: { phone_number: "+15551234567" },
}).safe();

const { data } = await bird.verify.verifications.check({
  to:   { phone_number: "+15551234567" },
  code: userInput,
}).safe();

SMS OTP is one call to send and one to check.

SMS is a phone-family channel on the Bird Verify API: post a verification with a phone number and we send the code on the shared Authifly SMS sender; check it by that same number. Re-posting the create is the resend (create-or-retry), and every code in the session stays valid until it verifies, expires, or runs out of attempts.

What you get on an SMS verification.

Built in, on every send.

  1. 01

    Addressed by phone number.

    Pass a single E.164 phone number. We normalize it and send over SMS on the sender resolved for its country.

  2. 02

    Server-generated, hashed codes.

    A 6-digit code by default (4–10 configurable), generated with a cryptographic random source and stored only as an HMAC. You never see the plaintext.

  3. 03

    Resend is the same call.

    Re-post the create to resend once the 60-second cooldown passes — same session, new code, both still valid. No separate resend endpoint.

  4. 04

    Per-recipient caps included.

    A per-recipient send cap and a per-workspace daily quota bound send volume and runaway spend, each a 429 with Retry-After.

  5. 05

    Reach that expands by country.

    SMS sends on the shared Authifly sender today, deliverable where it's registered, with dedicated and registered senders extending reach as they land.

The whole flow, two calls.

Create-or-retry sends the code to the phone number; check confirms it by that number. There's no id to thread between the two — the recipient is the key.

sms-otp.ts
200
await bird.verify.verifications.create({
  to: { phone_number: "+15551234567" },
}).safe();

const { data } = await bird.verify.verifications.check({
  to:   { phone_number: "+15551234567" },
  code: userInput,
}).safe();

// data.result is true or false; data.reason elaborates ("expired", "already_verified", …)

SMS OTP FAQ

What is SMS OTP?+
An SMS one-time passcode is a short code texted to a phone number that the user types back to prove they control that number. It's the most widely used second factor and signup check because almost every phone receives SMS.
Do I need to store a verification id to check the code?+
No. Bird checks by recipient: you send the phone number and the code, and we resolve the live session from the configuration-and-number pair. The configuration id is a constant; nothing is stored per verification.
Which countries can I reach?+
SMS sends on the shared Authifly sender, which is deliverable in the countries where it's registered. Sender-ID rules are country-specific, and registered and dedicated senders extend reach over time.
How do you stop SMS pumping and brute force?+
Per-recipient send caps, a per-workspace daily quota, and a per-verification guess limit are built in today. Deeper fraud signals and SMS-pumping protection are coming next.
Who do my users see the code from?+
Authifly, Bird's verification brand. It's the identity on every code your users receive: email arrives from otp@verify.authifly.com or your own verified domain, and SMS and WhatsApp are Authifly-branded. authifly.com is a public page that reassures recipients Authifly sends legitimate one-time codes on a business's behalf. Bird is the platform you build on; Authifly is what the recipient sees.

The rest of the Verify platform

One API, one set of keys. Explore the other capabilities.

Email OTPVerify by email on the network that already carries your transactional mail.WhatsApp OTPCodes on WhatsApp as an orderable channel in the same plan.Voice OTPRolling out: a spoken code for landlines and hard-to-reach users.Channel orchestrationPer-country channel order and senders as a first-class config resource.Anti-abuse & code securityHashed codes, per-recipient caps, attempt lockout, and the fraud roadmap.Verify API overviewThe full Verify API: create-or-retry, check by target, and per-country config.

The verification API with nothing to store.

SMS is one channel of Bird Verify: email and WhatsApp ship with it, and voice is rolling out — all on the same two endpoints.

Explore the Verify platformGet started

Start with one channel.
Add the others when you're ready.

A test API key is yours immediately. Production unlocks when you add a payment method and verify a sender.

Get startedRead docs

Using Claude Code, Cursor, or Codex? Copy a setup prompt and your agent installs the Bird CLI and skills for you. Pick yours:

Cursor