Table of Contents
When you get a new registration on your site you want to make sure it’s a real person. That’s the reason Captchas were invented, as well as email confirmations. A recent addition to the authentication mix is the ability to send a text message with a code. This code then has to be typed into a verification form. This is more reliable than email because a script can read email too. Yes, a phone app can read text messages if someone installs the app and allows that permission. But it’s easier for someone to fabricate a list of email addresses than SMS enabled phone numbers. In this article, we will walk through how to verify SMS with an API.
What this means is that using an API call you can have a code sent to a phone through a text message. Then you can look for that code to be submitted in a form within a certain time (like 15 minutes). After that period you can ignore that registration. You could even do that for blog comments but that seems like overkill to me. 🙂
For this article we will follow a five-step process:
- Get an API Key
- Register for the Telesign SMS API
- Create a registration form
- Integrate with the API
- Put it all together
How to Verify SMS Messages with an API
Step 1. Get an API Key
First, you’ll need a rapidapi key. This is free, just sign up using an email address. You can use the same key for any of the thousands of APIs available.
Step 2. Register for the Telesign SMS API
According to the pricing page, the most you will pay for one test is one dollar. This depends on the country of your phone number though. In the phone number field, make sure you include the country code (in the United States it is 1). Otherwise, you will get an error from the API. The country code determines how many credits you use per API call. When I first saw this on the about page I thought I would pay a dollar for one test:
But if you click the “More…” link you can see the Credit Cost for most countries is less than 1000. I was happy to see that for US phone numbers the Credit Cost Per Verification Sent was only 51. This means I can use it 19 times (19*51=969) for the lowest monthly subscription. To use it more, the cost per verification goes down an order of magnitude. So for 10 dollars a month I could use it for US phone numbers, not 190 times but 1960 times (51*1960=99960).
The Telesign SMS Verify API has three input parameters. This includes the recipient phone number, a verification code, and your app name (so they know it’s from you). See below for how it looks on my phone when I tried it myself. I put “Really Popular App” as the name of my app and 12345 as the verification code:
The text came from a short code, which may be different for different countries. This likely explains the different pricing per country.
Step 3. Create a registration form
Now we get to the actual implementation of the API. We’ll start with a simple registration for something called “Really Popular App”. Since we will only verify the phone number every other piece of information may not be correct. Let’s start by requesting a name and phone number. That could look something like this:
Step 4. Verify SMS with an API
Once we submit the initial registration form, we save the phone number into the session. Then we generate a numeric verification code like this:
$thisVCode = rand(10000,99999);
Save the name, phone, code, and timestamp into a local database. The next step is using the SMS Verify API to send a code to the person’s phone. There is sample code for that step on the API Endpoints page in many different languages. After sending the code through SMS, show a form where the user can enter the code they received:
Once the user submits the verification form, the code can be compared with what was saved in the database. This is the point where we pull the verification code from the database. We pull the code using the phone number saved in the session. If it doesn’t match, we show a message explaining that and ask them to try again. If it does, then we can address the user by name and consider them registered!
Behind the scenes, we are using a database to track registrations. We use this to store the generated verification codes with the entered phone numbers. We also use the timestamp when each phone number is added to make sure the codes have not expired. Also, there is a number_of_attempts field in this table. This field tracks how many times incorrect verification codes have been entered. This way people can’t use scripts to brute force their way into an automated registration. The database table looks like this:
The Create Table statement for that table is as follows:
CREATE TABLE `registration_verifications` ( `verification_id` int(11) NOT NULL AUTO_INCREMENT, `first_name` varchar(255) NOT NULL, `phone` varchar(30) NOT NULL, `code` int(11) NOT NULL, `time_sent` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP, `number_of_attempts` int(11) NOT NULL DEFAULT '0', PRIMARY KEY (`verification_id`), KEY `phone` (`phone`) );
Step 5. Put it all together
The code used for the complete process above is below so you can use it as a reference. You’ll need to add your own rapidapi key and create your own table in a local database. Here is the full code:
The include/db.php file sets database credentials and creates a database link:
$dbLink = mysqli_connect($host, $user, $pwd, $database);