Quickstart
From zero to a verified OTP in about five minutes.
1. Create your account
Sign in to the Developer Console with Google or email/password. A virtual phone identity is generated for your account automatically on first sign-in — you can find it under Settings → Phone Identity.
2. Create a project
Projects are a grouping layer above applications — use one per product or environment. From the console sidebar, go to Projects → New project and give it a name.
3. Create an application
Inside Applications → New application, choose the project you just created and pick an environment:
- Test — credentials prefixed
ph_test_. Use this while integrating. - Live — credentials prefixed
ph_live_. Switch to this in production.
You'll be shown four credentials exactly once:
| Credential | Prefix | Where it's used |
|---|---|---|
| Client ID | ph_live_client_ | Public — safe in frontend code |
| Client Secret | ph_live_secret_ | Backend only |
| API Key | ph_live_api_ | Backend only — every API request |
| Webhook Secret | whsec_ | Backend only — verifying webhook signatures |
4. Send an OTP
From your backend server — never from a browser, since this call requires your Client Secret and API Key:
curl -X POST https://api.phone.cobinar.com/v1/otp/send \
-H "x-client-id: ph_test_client_xxxxxxxxxxxxxxxxxxxxxxxx" \
-H "x-client-secret: ph_test_secret_xxxxxxxxxxxxxxxxxxxxxxxx" \
-H "x-api-key: ph_test_api_xxxxxxxxxxxxxxxxxxxxxxxx" \
-H "Content-Type: application/json" \
-d '{"phone": "+999 482 918 102"}'
The response includes a requestId — a 6-digit code is generated, hashed, and stored for 5 minutes. The API never returns the code itself; it's surfaced to the user through your app's own UI.
5. Verify the code
curl -X POST https://api.phone.cobinar.com/v1/otp/verify \
-H "x-client-id: ph_test_client_xxxxxxxxxxxxxxxxxxxxxxxx" \
-H "x-client-secret: ph_test_secret_xxxxxxxxxxxxxxxxxxxxxxxx" \
-H "x-api-key: ph_test_api_xxxxxxxxxxxxxxxxxxxxxxxx" \
-H "Content-Type: application/json" \
-d '{"requestId": "a4b8c2d1...", "code": "847291"}'
A request allows up to 5 verification attempts before it's marked failed. Once verified, the same requestId will keep returning status: "verified" rather than erroring on repeat calls.
6. Register a webhook
In the console under Webhooks → New endpoint, register your own HTTPS URL and pick which events to receive (typically otp.verified, otp.failed, otp.expired). Every delivery is signed — see Webhooks for verifying the signature.
Try it without writing code first
The API Sandbox runs steps 4–6 directly from your browser against the real API, including a webhook-echo tool so you can see a signed delivery land without standing up a server.