OTP Verification API

Mobile App Integration Guide

Send one-time passwords via SMS or email and verify them from any application. Authentication requires a user-level API key or a device token.

*
This endpoint requires a Bearer token (Authorization header) or X-API-Token header — unlike other endpoints it is NOT for mobile devices only. Generate a user API key from Settings → API Key.

Send OTP

POST /api/?endpoint=send_otp

Generates a code, sends it to the recipient via the configured channel, and records the attempt. Rate-limited to one send per 60 seconds per recipient.

Request Body

Field Type Description
recipient string required Phone number (E.164 format) or email address.
channel string optional "sms" or "email". Defaults to the channel configured in OTP Settings.
lang string optional Template language code: en, ro, bg, fr, de, uk. Defaults to "en".
ref_id string optional Your optional reference (order ID, session ID, user ID…) — returned in the verify response.

Example Request

cURL
curl -X POST "https://api.rcszilla.com/api/?endpoint=send_otp" \
  -H "Authorization: Bearer YOUR-API-TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"recipient":"+40700000000","channel":"sms","lang":"en","ref_id":"order_42"}'
PHP
$ch = curl_init('https://api.rcszilla.com/api/?endpoint=send_otp');
curl_setopt_array($ch, [
    CURLOPT_POST           => true,
    CURLOPT_POSTFIELDS     => json_encode([
        'recipient' => '+40700000000',
        'channel'   => 'sms',
        'lang'      => 'en',
        'ref_id'    => 'order_42',
    ]),
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HTTPHEADER     => ['Authorization: Bearer YOUR-API-TOKEN', 'Content-Type: application/json'],
]);
$result = json_decode(curl_exec($ch), true);
// $result = ['success' => true, 'otp_id' => 42]
Python
import requests

r = requests.post(
    "https://api.rcszilla.com/api/",
    params={"endpoint": "send_otp"},
    json={"recipient": "+40700000000", "channel": "sms", "lang": "en", "ref_id": "order_42"},
    headers={"Authorization": "Bearer YOUR-API-TOKEN"},
    timeout=10,
)
print(r.json())  # {'success': True, 'otp_id': 42}
Node.js
const res = await fetch("https://api.rcszilla.com/api/?endpoint=send_otp", {
  method: "POST",
  headers: { "Authorization": "Bearer YOUR-API-TOKEN", "Content-Type": "application/json" },
  body: JSON.stringify({ recipient: "+40700000000", channel: "sms", lang: "en", ref_id: "order_42" }),
});
const data = await res.json();
// data = { success: true, otp_id: 42 }
Ruby
require 'net/http'; require 'json'
uri = URI("https://api.rcszilla.com/api/?endpoint=send_otp")
req = Net::HTTP::Post.new(uri, 'Authorization' => 'Bearer YOUR-API-TOKEN', 'Content-Type' => 'application/json')
req.body = {recipient: '+40700000000', channel: 'sms', lang: 'en'}.to_json
res = Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == 'https') { |h| h.request(req) }
puts JSON.parse(res.body)
Go
payload, _ := json.Marshal(map[string]string{"recipient": "+40700000000", "channel": "sms", "lang": "en"})
req, _ := http.NewRequest("POST", "https://api.rcszilla.com/api/?endpoint=send_otp", bytes.NewBuffer(payload))
req.Header.Set("Authorization", "Bearer YOUR-API-TOKEN")
req.Header.Set("Content-Type", "application/json")
resp, _ := http.DefaultClient.Do(req)
// read resp.Body...
Java
HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
    .uri(URI.create("https://api.rcszilla.com/api/?endpoint=send_otp"))
    .header("Authorization", "Bearer YOUR-API-TOKEN")
    .header("Content-Type", "application/json")
    .POST(HttpRequest.BodyPublishers.ofString(
        "{\"recipient\":\"+40700000000\",\"channel\":\"sms\",\"lang\":\"en\"}"
    ))
    .build();
HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
// parse response.body() as JSON

Response

JSON200 OK
{
  "success": true,
  "message": "OTP sent.",
  "otp_id": 42
}
JSON429 Rate Limited
{
  "success": false,
  "message": "Please wait 45 seconds before requesting a new code.",
  "retry_after": 45
}

Verify OTP

POST /api/?endpoint=verify_otp

Checks the submitted code against the most recent pending OTP for this recipient. Returns success on match and marks the OTP as verified.

Request Body

Field Type Description
recipient string required Same phone/email used in the send call.
code string required The code the user entered.

Example Request

cURL
curl -X POST "https://api.rcszilla.com/api/?endpoint=verify_otp" \
  -H "Authorization: Bearer YOUR-API-TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"recipient":"+40700000000","code":"123456"}'
PHP
$ch = curl_init('https://api.rcszilla.com/api/?endpoint=verify_otp');
curl_setopt_array($ch, [
    CURLOPT_POST           => true,
    CURLOPT_POSTFIELDS     => json_encode(['recipient' => '+40700000000', 'code' => '123456']),
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HTTPHEADER     => ['Authorization: Bearer YOUR-API-TOKEN', 'Content-Type: application/json'],
]);
$result = json_decode(curl_exec($ch), true);
if ($result['success']) {
    // phone verified — proceed with user action
}
Python
r = requests.post(
    "https://api.rcszilla.com/api/",
    params={"endpoint": "verify_otp"},
    json={"recipient": "+40700000000", "code": "123456"},
    headers={"Authorization": "Bearer YOUR-API-TOKEN"},
)
if r.json().get("success"):
    pass  # verified — continue
Node.js
const res = await fetch("https://api.rcszilla.com/api/?endpoint=verify_otp", {
  method: "POST",
  headers: { "Authorization": "Bearer YOUR-API-TOKEN", "Content-Type": "application/json" },
  body: JSON.stringify({ recipient: "+40700000000", code: "123456" }),
});
const { success, message, otp_id, ref_id, verified_at } = await res.json();
Ruby
require 'net/http'; require 'json'
uri = URI("https://api.rcszilla.com/api/?endpoint=verify_otp")
req = Net::HTTP::Post.new(uri, 'Authorization' => 'Bearer YOUR-API-TOKEN', 'Content-Type' => 'application/json')
req.body = {recipient: '+40700000000', code: '123456'}.to_json
res = Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == 'https') { |h| h.request(req) }
puts JSON.parse(res.body)
Go
payload, _ := json.Marshal(map[string]string{"recipient": "+40700000000", "code": "123456"})
req, _ := http.NewRequest("POST", "https://api.rcszilla.com/api/?endpoint=verify_otp", bytes.NewBuffer(payload))
req.Header.Set("Authorization", "Bearer YOUR-API-TOKEN")
req.Header.Set("Content-Type", "application/json")
resp, _ := http.DefaultClient.Do(req)
// read resp.Body...

Response

JSON200 OK
{
  "success": true,
  "message": "OTP verified successfully.",
  "otp_id": 42,
  "ref_id": "order_42",
  "verified_at": "2026-05-05T14:30:00+00:00"
}
JSON422 Wrong Code
{
  "success": false,
  "message": "Wrong code. 2 attempt(s) remaining.",
  "attempts_remaining": 2
}

Error Codes

HTTP Description
400Bad request or unknown action.
401Invalid or missing API token.
403Too many wrong attempts — OTP invalidated.
404No active OTP found for this recipient.
410OTP has expired.
422Wrong code — response includes attempts_remaining.
429Rate limit — response includes retry_after (seconds).
500Delivery error — check your channel settings.