Skip to main content
The Plivo Verify API enables programmatic user authentication via 2FA (Two-Factor Authentication) using SMS and voice calls. With just a few simple steps, you can easily integrate OTP-based verification into your applications.

Verify Eligibility and Coverage

  1. Direct Brands Only — Verify is offered to direct brands only. Resellers, Independent Software Vendors (ISVs), and aggregators or multi-tenant platforms are not eligible for Verify onboarding.
  2. Pay-as-You-Go — Verify operates on a pay-as-you-go model, with no minimum spend commitments for the Verify product itself. Channel-level commitments may apply. Verify uses Plivo-registered Sender IDs to deliver OTP messages. While this setup works globally, some countries may experience reduced delivery quality and require independent Sender ID registration, which is subject to minimum commit requirements as per messaging guidelines.
  3. India Delivery via ILDO — Plivo does not support SMS to India over domestic routes (DLT). Verify traffic to India will be sent via International Long Distance Operator (ILDO) routes, starting at USD 0.08 per message.

Quick Start

1

Set Up an Application in Plivo Console

To start sending OTPs, create a Verify application in the Plivo Console.Configure these settings:Once created, you’ll receive an Application UUID to use in API requests.
2

Create a Session to Send OTPs

Use the Create Session API to send an OTP:
Set a callback URL to receive real-time delivery status updates.
3

Validate the OTP

When the user enters the OTP, validate it using the Validate Session API:
4

Handle the Response

If the OTP is valid, allow the user to proceed. If invalid, prompt them to re-enter or resend the OTP.

Channels: SMS vs Voice

The Verify API supports two delivery channels:

Using Voice OTP

To send OTP via voice call, set channel to voice:
The user receives an automated voice call that reads out their OTP code.

Channel Fallback Strategy

For critical verifications, implement fallback:

Sessions

A session represents a single verification interaction with a user. Each session can have multiple delivery attempts. Example: You send an OTP at 10:00 AM with a 10-minute expiry. This creates a session that expires at 10:10 AM. All delivery attempts during this window are part of the same session and deliver the same OTP.

Session Lifecycle

  1. Created - OTP generated and first delivery attempted
  2. In Progress - Waiting for user to enter OTP (additional attempts possible)
  3. Verified - User entered correct OTP
  4. Expired - Session timed out without successful validation

Fraud Shield

Fraud Shield protects your applications from SMS pumping attacks by monitoring traffic in real-time and blocking suspicious messages.

Protection Levels

Configure in Console > Verify > App Settings > Fraud Shield. Blocked messages return error code 452 (Potential SMS Pumping).

Preventing False Positives

  1. Skip fraud check for trusted users - Set check_fs=false for known good users
  2. Create separate apps - Use different apps for Sign Up, Sign In, and Password Reset
  3. Use a dedicated low-protection app - For trusted user segments, create an app with Fraud Shield set to Low or Disabled

Signature Validation

Validate that webhook requests originate from Plivo using signature verification.

HTTP Headers

All Plivo requests include:
  • X-Plivo-Signature-V2 - Generated using account/subaccount Auth Token
  • X-Plivo-Signature-Ma-V2 - Always generated using main account Auth Token
  • X-Plivo-Signature-V2-Nonce - Unique nonce for the request

Generating the Signature

Calculate HMAC with:
  • Key: Your Plivo Auth Token
  • Message: Base URI + X-Plivo-Signature-V2-Nonce (e.g., https://yourdomain.com/callback/05429567804466091622)
  • Hash function: SHA256

Example


Translation Support

Send verification messages in your users’ preferred languages.
  1. Contact Plivo support to configure translations for your SMS templates
  2. Pass the locale parameter when creating a session

Locale Format

Combine language code (ISO 639-1) and optional region code (ISO 3166-1):
  • en - English
  • en_US - English (US)
  • es - Spanish
  • fr_FR - French (France)
If the specified locale is unavailable or invalid, the default locale (en) is used.

When to Use Multiple Applications

Most businesses need just one Verify application. Consider multiple applications when:
  • Different OTP lengths are needed (e.g., 4-digit for login, 6-digit for checkout)
  • Different channels are required (SMS-only for logins, SMS+voice for payments)
  • Different Fraud Shield settings are needed per use case

Reporting

View and analyze your verification traffic on the Plivo console at Verify > Logs.

Session Logs

Filters

Filter results by subaccount, date range, status, country, phone number, or application alias.
Session data is retained for 90 days.