Get Started

Quickstart

From zero to a verified OTP in about five minutes.

1. Create your account

Sign in to the Developer Console with Google or email/password. A virtual phone identity is generated for your account automatically on first sign-in — you can find it under Settings → Phone Identity.

2. Create a project

Projects are a grouping layer above applications — use one per product or environment. From the console sidebar, go to Projects → New project and give it a name.

3. Create an application

Inside Applications → New application, choose the project you just created and pick an environment:

  • Test — credentials prefixed ph_test_. Use this while integrating.
  • Live — credentials prefixed ph_live_. Switch to this in production.

You'll be shown four credentials exactly once:

CredentialPrefixWhere it's used
Client IDph_live_client_Public — safe in frontend code
Client Secretph_live_secret_Backend only
API Keyph_live_api_Backend only — every API request
Webhook Secretwhsec_Backend only — verifying webhook signatures
Copy the Client Secret and API Key immediately. Unlike the Webhook Secret, they cannot be viewed again — only rotated (which invalidates the old value). See Authentication & Credentials.

4. Send an OTP

From your backend server — never from a browser, since this call requires your Client Secret and API Key:

curl -X POST https://api.phone.cobinar.com/v1/otp/send \
  -H "x-client-id: ph_test_client_xxxxxxxxxxxxxxxxxxxxxxxx" \
  -H "x-client-secret: ph_test_secret_xxxxxxxxxxxxxxxxxxxxxxxx" \
  -H "x-api-key: ph_test_api_xxxxxxxxxxxxxxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{"phone": "+999 482 918 102"}'

The response includes a requestId — a 6-digit code is generated, hashed, and stored for 5 minutes. The API never returns the code itself; it's surfaced to the user through your app's own UI.

5. Verify the code

curl -X POST https://api.phone.cobinar.com/v1/otp/verify \
  -H "x-client-id: ph_test_client_xxxxxxxxxxxxxxxxxxxxxxxx" \
  -H "x-client-secret: ph_test_secret_xxxxxxxxxxxxxxxxxxxxxxxx" \
  -H "x-api-key: ph_test_api_xxxxxxxxxxxxxxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{"requestId": "a4b8c2d1...", "code": "847291"}'

A request allows up to 5 verification attempts before it's marked failed. Once verified, the same requestId will keep returning status: "verified" rather than erroring on repeat calls.

6. Register a webhook

In the console under Webhooks → New endpoint, register your own HTTPS URL and pick which events to receive (typically otp.verified, otp.failed, otp.expired). Every delivery is signed — see Webhooks for verifying the signature.

Try it without writing code first

The API Sandbox runs steps 4–6 directly from your browser against the real API, including a webhook-echo tool so you can see a signed delivery land without standing up a server.