twilio-verify-send-otp

Overview

Use Twilio Verify to manage the full OTP lifecycle: code generation, delivery, expiry, rate limiting, and Fraud Guard protection. Use the Programmable Messaging API to build your own OTP message infrastructure and access features such as SMS Pumping Protection.

	Twilio Verify	Programmable Messaging API
Code generation + expiry	Built-in (10min default, configurable). Also supports custom codes.	Build yourself
Rate limiting	Built-in (per-phone, per-service)	Build yourself
Fraud protection	Fraud Guard (geo-permissions, rate anomaly)	SMS Pumping Protection
A2P registration	Exempt — no 10DLC needed	Required — must register campaign
Multi-channel	One API, change channel param (SMS/Voice/Email/WhatsApp/RCS)	Separate integration per channel
Cost	Per confirmed verification + channel fee	Per-message pricing + build cost
Delivery confirmation	Yes — via List Attempts or Events API	Yes (via StatusCallback)

When Programmable Messaging is justified: You need full control over message content, custom delivery logic, or SMS Pumping Protection features. For standard OTP/2FA flows, use Verify.

Verify supports SMS, voice, email, WhatsApp, and RCS — only the channel parameter changes per delivery method. TOTP (authenticator apps) is supported via the Verify Factors API, a separate implementation from channel-based OTP.

---

Prerequisites

• Twilio account (free trial works for testing) — New to Twilio? See twilio-account-setup — Verify requires no separate product activation — just create a Service below
• Environment variables:
  • TWILIO_ACCOUNT_SID
  • TWILIO_AUTH_TOKEN
  • VERIFY_SERVICE_SID (created in Quickstart step 1) — See twilio-iam-auth-setup for credential setup and best practices
• SDK: pip install twilio / npm install twilio
• For WhatsApp channel only: a registered production WhatsApp sender — see twilio-whatsapp-manage-senders

---

Quickstart

Step 1 — Create a Verify Service (one-time)

Python

import os
from twilio.rest import Client

client = Client(os.environ["TWILIO_ACCOUNT_SID"], os.environ["TWILIO_AUTH_TOKEN"])

service = client.verify.v2.services.create(
    friendly_name="My App Verification"
)
print(service.sid)  # VAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx — save as VERIFY_SERVICE_SID

Node.js

const twilio = require("twilio");
const client = twilio(process.env.TWILIO_ACCOUNT_SID, process.env.TWILIO_AUTH_TOKEN);

const service = await client.verify.v2.services.create({
    friendlyName: "My App Verification",
});
console.log(service.sid);  // VAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Store the Service SID — reuse it for all verifications, do not recreate it each time.

Step 2 — Send a verification token

Python

verification = client.verify.v2 \
    .services(os.environ["VERIFY_SERVICE_SID"]) \
    .verifications \
    .create(to="+15558675310", channel="sms")

print(verification.status)  # pending

Node.js

const verification = await client.verify.v2
    .services(process.env.VERIFY_SERVICE_SID)
    .verifications.create({ to: "+15558675310", channel: "sms" });

console.log(verification.status);  // pending

Step 3 — Check the submitted code

Python

check = client.verify.v2 \
    .services(os.environ["VERIFY_SERVICE_SID"]) \
    .verification_checks \
    .create(to="+15558675310", code="123456")

if check.status == "approved":
    print("Verified!")
else:
    print("Invalid or expired code")

Node.js

const check = await client.verify.v2
    .services(process.env.VERIFY_SERVICE_SID)
    .verificationChecks.create({ to: "+15558675310", code: "123456" });

if (check.status === "approved") {
    console.log("Verified!");
} else {
    console.log("Invalid or expired code");
}

---

Key Patterns

Supported Channels

Channel	channel value	Notes
SMS	sms	Default, widest coverage
Voice call	voice	Reads code aloud
Email	email	Use email address in to
WhatsApp	whatsapp	Requires own WhatsApp sender (see below)
RCS	rcs	Rich messaging, Android devices

TOTP (authenticator apps): Supported via the Verify Factors API — a separate implementation from channel-based OTP. See Verify TOTP docs.

WhatsApp OTP

Change channel to "whatsapp" — the send/check flow is identical to SMS.

Requires: A registered production WhatsApp sender. As of March 2024, Twilio no longer provides a shared sender for Verify. See twilio-whatsapp-manage-senders.

Python

verification = client.verify.v2 \
    .services(os.environ["VERIFY_SERVICE_SID"]) \
    .verifications \
    .create(to="+15558675310", channel="whatsapp")

Node.js

const verification = await client.verify.v2
    .services(process.env.VERIFY_SERVICE_SID)
    .verifications.create({ to: "+15558675310", channel: "whatsapp" });

WhatsApp with Automatic SMS Fallback

Python

verification = client.verify.v2 \
    .services(os.environ["VERIFY_SERVICE_SID"]) \
    .verifications \
    .create(
        to="+15558675310",
        channel="whatsapp",
        channel_configuration={
            "whatsapp": {"enabled": True},
            "sms": {"enabled": True}   # falls back to SMS if WhatsApp undelivered
        }
    )

Node.js

const verification = await client.verify.v2
    .services(process.env.VERIFY_SERVICE_SID)
    .verifications.create({
        to: "+15558675310",
        channel: "whatsapp",
        channelConfiguration: {
            whatsapp: { enabled: true },
            sms: { enabled: true },
        },
    });

With fallback enabled, your UI can say "a verification code was sent" without specifying the channel.

Service Configuration

Python

service = client.verify.v2.services.create(
    friendly_name="My App",
    code_length=6,              # 4–10 digits (default: 6)
    lookup_enabled=True,        # Validate number before sending
    do_force_check_once=True,   # Code can only be checked once
    ttl=600,                    # Code expiry in seconds (default: 600)
)

Node.js

const service = await client.verify.v2.services.create({
    friendlyName: "My App",
    codeLength: 6,
    lookupEnabled: true,
    doForceCheckOnce: true,
    ttl: 600,
});

Verification Status Values

Status	Meaning
approved	Code is correct
pending	Code is wrong or not yet submitted
expired	Code has expired (default TTL: 10 minutes)
canceled	Verification was canceled

---

Debugging

Primary debugging tool: Console > Verify > Logs (per-Service). Shows every verification attempt, delivery status, channel used, and error codes. Check here first before writing custom monitoring code.

Common Errors

Code	Meaning	Fix
60200	Invalid parameter	Check to format and channel value
60202	Max send attempts reached	Wait before retrying
60203	Max check attempts reached	Issue a new verification
60212	Service not found	Verify VERIFY_SERVICE_SID is correct
60410	Geo-permission not enabled	Enable country in Console

Built-in protections (no custom code needed):

• Rate limiting: 5 verifications per phone per service per 10 minutes
• Max check attempts: 5 per verification (6th attempt → error 60203)
• Phone number validation: Verify checks line type before sending (if lookup_enabled=True)
• Fraud Guard: geo-permissions, rate anomaly detection, SMS pumping protection

International OTP traffic warning: International numbers are high-risk for SMS pumping — fraudsters trigger OTPs to premium-rate destinations to generate revenue. Verify's Fraud Guard handles this automatically when enabled. If you're building custom OTP with Programmable Messaging instead, enable SMS Pumping Protection on your Messaging Service (see twilio-messaging-services). Always restrict geo-permissions to only countries where you have real users.

---

CANNOT

• No built-in channel fallback — Must implement retry logic manually (e.g., SMS → voice → email). Use channel_configuration for WhatsApp→SMS only.
• No webhook on verification completion — Must poll verification_checks. Rate-limited: 60/min, 180/hr, 250/day.
• Cannot retrieve the actual code sent — Code is never returned in any API response. By design.
• Cannot change channel mid-verification — Starting on a new channel reuses the same Verification SID and token. Create a new verification instead.
• Cannot extend TTL on an existing verification — Default 10 minutes. Customizable only at Service level, not per-verification.
• Verification SID deleted after approval — Fetching an approved verification returns 404. Canceled verifications remain fetchable.
• auto channel not universally available — Returns error 60200 on accounts without Fraud Guard enabled.
• Email channel requires Mailer configuration — channel: 'email' without a configured Mailer returns error 60217.
• No real-time delivery push notification — Delivery status is available via List Attempts or Events API (pull-based), not via a push webhook.
• FriendlyName rejects 5+ consecutive digits — Service names containing 5+ digits trigger error 60200. Use words or fewer digits.
• Wrong code does not throw an exception — Check returns status: "pending", not an error. You must check status === "approved" explicitly.
• Cannot re-check an approved verification — Each verification is single-use. Once approved, subsequent checks return 404.
• Cannot send to arbitrary numbers on trial accounts — Trial accounts have limited verification destinations
• Cannot customize WhatsApp OTP template — Uses a fixed Meta authentication template
• Cannot use WhatsApp channel for PSD2 compliance mode — PSD2 payee/amount parameters not supported on WhatsApp

---

Next Steps

• Register a WhatsApp sender: twilio-whatsapp-manage-senders
• Validate phone numbers before sending: twilio-lookup-phone-intelligence
• Credential setup: twilio-iam-auth-setup