API Documentation

Build powerful applications with TrustOTP API

Get API Key Quick Start

Quick Start

1Get Your API Key

Generate an API key from your account dashboard.

2Authentication

Include your API key in the Authorization header of all requests:

Authorization: Bearer YOUR_API_KEY

3Base URL

All API requests should be made to:

https://api.trustotp.app/v1/api

4Response Format

All responses are returned in JSON format with a consistent structure including success status and data or error fields.

Code Examples

curl -X GET "https://api.trustotp.app/v1/api/v1/numbers/available" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json"

API Endpoints

Phone Numbers

OTP Verification

Account Management

Webhooks

Real-time Notifications: Webhooks allow you to receive instant notifications when SMS messages arrive. All webhooks are signed with HMAC-SHA256 for security.

Webhook Payloads

SMS Received

{
  "type": "sms",
  "number": "+1234567890",
  "from": "+9876543210",
  "message": "Your verification code is 123456",
  "timestamp": "2024-01-15T10:30:00Z"
}

OTP Received

{
  "type": "otp",
  "service": "whatsapp",
  "number": "+1234567890",
  "code": "123456",
  "timestamp": "2024-01-15T10:30:00Z"
}

Test Webhook

{
  "type": "test",
  "message": "This is a test webhook from TrustOTP",
  "timestamp": "2024-01-15T10:30:00Z",
  "test": true
}

Simple Signature Verification

Webhooks include a signature in the X-TrustOTP-Signature header. The signature is a simple HMAC-SHA256 hash of the JSON payload using your API key.

// Node.js example
const crypto = require('crypto');

function verifyWebhook(signature, apiKey, body) {
  const expected = crypto
    .createHmac('sha256', apiKey)
    .update(JSON.stringify(body))
    .digest('hex');

  return signature === expected;
}

Rate Limits & Best Practices

Rate Limiting

API requests are limited to 100 requests per minute per API key. Exceeding this limit will result in a 429 Too Many Requests response.

Error Handling

All error responses follow a consistent format:

{
  "success": false,
  "error": {
    "code": "INVALID_REQUEST",
    "message": "Description of the error"
  }
}

Webhooks

For real-time SMS notifications, configure webhooks in your account settings. We'll send POST requests to your endpoint when new messages arrive.

Security

Always use HTTPS for API requests
Keep your API keys secure and never expose them in client-side code
Rotate your API keys regularly
Use IP whitelisting for additional security (available in settings)

Need Help?

Our support team is here to help you integrate the TrustOTP API

Contact Support

Quick Start

1Get Your API Key

Generate an API key from your account dashboard.

2Authentication

Include your API key in the Authorization header of all requests:

Authorization: Bearer YOUR_API_KEY

3Base URL

All API requests should be made to:

https://api.trustotp.app/v1/api

4Response Format

All responses are returned in JSON format with a consistent structure including success status and data or error fields.

API Endpoints

Phone Numbers

OTP Verification

Account Management

Webhooks

Real-time Notifications: Webhooks allow you to receive instant notifications when SMS messages arrive. All webhooks are signed with HMAC-SHA256 for security.

Webhook Payloads

SMS Received

{
  "type": "sms",
  "number": "+1234567890",
  "from": "+9876543210",
  "message": "Your verification code is 123456",
  "timestamp": "2024-01-15T10:30:00Z"
}

OTP Received

{
  "type": "otp",
  "service": "whatsapp",
  "number": "+1234567890",
  "code": "123456",
  "timestamp": "2024-01-15T10:30:00Z"
}

Test Webhook

{
  "type": "test",
  "message": "This is a test webhook from TrustOTP",
  "timestamp": "2024-01-15T10:30:00Z",
  "test": true
}

Simple Signature Verification

Webhooks include a signature in the X-TrustOTP-Signature header. The signature is a simple HMAC-SHA256 hash of the JSON payload using your API key.

// Node.js example
const crypto = require('crypto');

function verifyWebhook(signature, apiKey, body) {
  const expected = crypto
    .createHmac('sha256', apiKey)
    .update(JSON.stringify(body))
    .digest('hex');

  return signature === expected;
}

Rate Limits & Best Practices

Rate Limiting

API requests are limited to 100 requests per minute per API key. Exceeding this limit will result in a 429 Too Many Requests response.

Error Handling

All error responses follow a consistent format:

{
  "success": false,
  "error": {
    "code": "INVALID_REQUEST",
    "message": "Description of the error"
  }
}

Webhooks

For real-time SMS notifications, configure webhooks in your account settings. We'll send POST requests to your endpoint when new messages arrive.

Security

Always use HTTPS for API requests
Keep your API keys secure and never expose them in client-side code
Rotate your API keys regularly
Use IP whitelisting for additional security (available in settings)