Labsco
openai logo

twilio-verify-send-otp

✓ Official4,081

by openai · part of openai/plugins

Send and verify one-time passcodes (OTPs) via Twilio Verify over SMS, RCS, voice, email, or WhatsApp. Covers creating a Verify Service, sending tokens, checking submitted codes, automatic WhatsApp-to-SMS fallback, and service configuration. TOTP is supported via the Factors API (a separate family from channel-based OTP). Use this skill to add phone or email verification or two-factor authentication to any application.

🧩 One of 7 skills in the openai/plugins package — works on its own, and pairs well with its siblings.

This is the playbook your agent receives when the skill activates — you don't need to read it to use the skill, but it's here to audit before installing.

Overview

Use Twilio Verify to manage the full OTP lifecycle: code generation, delivery, expiry, rate limiting, and Fraud Guard protection. Use the Programmable Messaging API to build your own OTP message infrastructure and access features such as SMS Pumping Protection.

Twilio VerifyProgrammable Messaging API
Code generation + expiryBuilt-in (10min default, configurable). Also supports custom codes.Build yourself
Rate limitingBuilt-in (per-phone, per-service)Build yourself
Fraud protectionFraud Guard (geo-permissions, rate anomaly)SMS Pumping Protection
A2P registrationExempt — no 10DLC neededRequired — must register campaign
Multi-channelOne API, change channel param (SMS/Voice/Email/WhatsApp/RCS)Separate integration per channel
CostPer confirmed verification + channel feePer-message pricing + build cost
Delivery confirmationYes — via List Attempts or Events APIYes (via StatusCallback)

When Programmable Messaging is justified: You need full control over message content, custom delivery logic, or SMS Pumping Protection features. For standard OTP/2FA flows, use Verify.

Verify supports SMS, voice, email, WhatsApp, and RCS — only the channel parameter changes per delivery method. TOTP (authenticator apps) is supported via the Verify Factors API, a separate implementation from channel-based OTP.


Key Patterns

Supported Channels

Channelchannel valueNotes
SMSsmsDefault, widest coverage
Voice callvoiceReads code aloud
EmailemailUse email address in to
WhatsAppwhatsappRequires own WhatsApp sender (see below)
RCSrcsRich messaging, Android devices

TOTP (authenticator apps): Supported via the Verify Factors API — a separate implementation from channel-based OTP. See Verify TOTP docs.

WhatsApp OTP

Change channel to "whatsapp" — the send/check flow is identical to SMS.

Requires: A registered production WhatsApp sender. As of March 2024, Twilio no longer provides a shared sender for Verify. See twilio-whatsapp-manage-senders.

Python

verification = client.verify.v2 \
    .services(os.environ["VERIFY_SERVICE_SID"]) \
    .verifications \
    .create(to="+15558675310", channel="whatsapp")

Node.js

const verification = await client.verify.v2
    .services(process.env.VERIFY_SERVICE_SID)
    .verifications.create({ to: "+15558675310", channel: "whatsapp" });

WhatsApp with Automatic SMS Fallback

Python

verification = client.verify.v2 \
    .services(os.environ["VERIFY_SERVICE_SID"]) \
    .verifications \
    .create(
        to="+15558675310",
        channel="whatsapp",
        channel_configuration={
            "whatsapp": {"enabled": True},
            "sms": {"enabled": True}   # falls back to SMS if WhatsApp undelivered
        }
    )

Node.js

const verification = await client.verify.v2
    .services(process.env.VERIFY_SERVICE_SID)
    .verifications.create({
        to: "+15558675310",
        channel: "whatsapp",
        channelConfiguration: {
            whatsapp: { enabled: true },
            sms: { enabled: true },
        },
    });

With fallback enabled, your UI can say "a verification code was sent" without specifying the channel.

Service Configuration

Python

service = client.verify.v2.services.create(
    friendly_name="My App",
    code_length=6,              # 4–10 digits (default: 6)
    lookup_enabled=True,        # Validate number before sending
    do_force_check_once=True,   # Code can only be checked once
    ttl=600,                    # Code expiry in seconds (default: 600)
)

Node.js

const service = await client.verify.v2.services.create({
    friendlyName: "My App",
    codeLength: 6,
    lookupEnabled: true,
    doForceCheckOnce: true,
    ttl: 600,
});

Verification Status Values

StatusMeaning
approvedCode is correct
pendingCode is wrong or not yet submitted
expiredCode has expired (default TTL: 10 minutes)
canceledVerification was canceled

Debugging

Primary debugging tool: Console > Verify > Logs (per-Service). Shows every verification attempt, delivery status, channel used, and error codes. Check here first before writing custom monitoring code.

Common Errors

CodeMeaningFix
60200Invalid parameterCheck to format and channel value
60202Max send attempts reachedWait before retrying
60203Max check attempts reachedIssue a new verification
60212Service not foundVerify VERIFY_SERVICE_SID is correct
60410Geo-permission not enabledEnable country in Console

Built-in protections (no custom code needed):

  • Rate limiting: 5 verifications per phone per service per 10 minutes
  • Max check attempts: 5 per verification (6th attempt → error 60203)
  • Phone number validation: Verify checks line type before sending (if lookup_enabled=True)
  • Fraud Guard: geo-permissions, rate anomaly detection, SMS pumping protection

International OTP traffic warning: International numbers are high-risk for SMS pumping — fraudsters trigger OTPs to premium-rate destinations to generate revenue. Verify's Fraud Guard handles this automatically when enabled. If you're building custom OTP with Programmable Messaging instead, enable SMS Pumping Protection on your Messaging Service (see twilio-messaging-services). Always restrict geo-permissions to only countries where you have real users.


CANNOT

  • No built-in channel fallback — Must implement retry logic manually (e.g., SMS → voice → email). Use channel_configuration for WhatsApp→SMS only.
  • No webhook on verification completion — Must poll verification_checks. Rate-limited: 60/min, 180/hr, 250/day.
  • Cannot retrieve the actual code sent — Code is never returned in any API response. By design.
  • Cannot change channel mid-verification — Starting on a new channel reuses the same Verification SID and token. Create a new verification instead.
  • Cannot extend TTL on an existing verification — Default 10 minutes. Customizable only at Service level, not per-verification.
  • Verification SID deleted after approval — Fetching an approved verification returns 404. Canceled verifications remain fetchable.
  • auto channel not universally available — Returns error 60200 on accounts without Fraud Guard enabled.
  • Email channel requires Mailer configurationchannel: 'email' without a configured Mailer returns error 60217.
  • No real-time delivery push notification — Delivery status is available via List Attempts or Events API (pull-based), not via a push webhook.
  • FriendlyName rejects 5+ consecutive digits — Service names containing 5+ digits trigger error 60200. Use words or fewer digits.
  • Wrong code does not throw an exception — Check returns status: "pending", not an error. You must check status === "approved" explicitly.
  • Cannot re-check an approved verification — Each verification is single-use. Once approved, subsequent checks return 404.
  • Cannot send to arbitrary numbers on trial accounts — Trial accounts have limited verification destinations
  • Cannot customize WhatsApp OTP template — Uses a fixed Meta authentication template
  • Cannot use WhatsApp channel for PSD2 compliance mode — PSD2 payee/amount parameters not supported on WhatsApp

Next Steps

  • Register a WhatsApp sender: twilio-whatsapp-manage-senders
  • Validate phone numbers before sending: twilio-lookup-phone-intelligence
  • Credential setup: twilio-iam-auth-setup