HomeAPI & Dev2FA Authentication API

🔐 2FA Authentication API

Add secure SMS OTP two-factor authentication to your application. Three endpoints: Send OTP, Verify OTP, and Check Balance — all returning JSON.

REST · JSON HTTPS GET v1.0
About iSMS 2FA → Register Free
ℹ️
All 2FA API calls are HTTPS GET requests to https://www.isms.com.my/2FA/request.php. The OTP is a 6-digit random number. The %OTP% placeholder in your message template is automatically replaced with the generated OTP.
🔄
Workflow: Send OTP → receive uuid + sms_id in response → user enters OTP → Verify OTP with those IDs → allow or deny access.
Endpoint 1

Send / Request OTP

Sends a 6-digit OTP to the specified mobile number via SMS.

HTTPS Endpoint
https://www.isms.com.my/2FA/request.php
ParameterTypeRequiredDescriptionExample
unStringRequirediSMS account usernamemyuser
passStringRequirediSMS account passwordmypass
mobileIntegerRequiredMobile number without country code and without leading 0 — e.g. 1XXXXXXXXX1XXXXXXXXX
country_codeIntegerRequiredCountry calling code — e.g. 60 for Malaysia60
messageStringRequiredSMS message template. Use %OTP% as placeholder — it is replaced with the 6-digit OTP automatically.Your OTP code is %OTP%
typeIntegerRequired1 = ASCII (English/BM)  ·  2 = Unicode (Chinese/Arabic)1
sendidStringOptionalSender ID — alphanumeric, max 11 charactersMyApp
Sample Request URL
https://www.isms.com.my/2FA/request.php?un=myuser&pass=mypass&mobile=1XXXXXXXXX&country_code=60&type=1&sendid=MyApp&message=Your+OTP+Code+is+%25OTP%25
PHP · cURL Example — Send OTP
<?php

$params = http_build_query([
    'un'           => 'myuser',
    'pass'         => 'mypass',
    'mobile'       => '1XXXXXXXXX',   // No country code, no leading 0
    'country_code' => '60',
    'message'      => 'Your OTP code is %OTP%',  // %OTP% auto-replaced
    'type'         => '1',
    'sendid'       => 'MyApp',
]);

$ch = curl_init('https://www.isms.com.my/2FA/request.php?' . $params);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
$result = curl_exec($ch);
$error  = curl_error($ch);
curl_close($ch);

if ($error) { die('cURL error: ' . $error); }

$data = json_decode($result, true);

if ($data['status'] === 'Success') {
    // Store $data['uuid'] and $data['sms_id'] — needed for verification step
    $uuid   = $data['uuid'];
    $sms_id = $data['sms_id'];
    echo 'OTP sent! UUID: ' . $uuid;
} else {
    echo 'Failed: ' . ($data['message'] ?? $result);
}
✅ Send OTP — Success
{
  "status":   "Success",
  "code":     "147623",
  "uuid":     "bd9a1ff0-4f2c-11eb-9b62-008cfaff44de",
  "username": "myuser",
  "sms_id":   "1171081025",
  "mobile":   "+601X-XXXXXXX"
}
❌ Send OTP — Failed
{
  "status":  "Failed",
  "message": "Authentication Failed",
  "uuid":    "1a1e1b86-...",
  "sms_id":  "1171081605",
  "code":    "408902",
  "mobile":  "+601X-XXXXXXX"
}
Response FieldDescription
statusSuccess or Failed
codeThe 6-digit OTP that was sent (store securely for reference)
uuidUnique message identifier — required for the Verify OTP call
sms_idSMS transaction ID — required for the Verify OTP call
mobileDestination mobile in international format
usernameYour iSMS account username
Endpoint 2

Verify OTP

Verify the OTP entered by the user against the one that was sent. Pass the uuid and sms_id returned from the Send OTP response.

ParameterTypeRequiredDescriptionExample
unStringRequirediSMS account usernamemyuser
passStringRequirediSMS account passwordmypass
mobileIntegerRequiredSame mobile number used when sending OTP (no country code, no leading 0)1XXXXXXXXX
country_codeIntegerRequiredCountry calling code60
methodStringRequiredMust be verifyverify
codeIntegerRequiredThe OTP code entered by the user515296
sms_idIntegerRequiredThe sms_id from the Send OTP response1171081605
uuidStringRequiredThe uuid from the Send OTP response1a1e1b86-4f2d-...
intervalIntegerOptionalOTP expiry in minutes — e.g. 3 means OTP expires after 3 minutes3
sendidStringOptionalSender ID used when sending OTPMyApp
PHP · cURL Example — Verify OTP
<?php

// Values from your form (user-submitted OTP)
$userOtp = $_POST['otp'];        // OTP entered by user
$uuid    = $_SESSION['otp_uuid'];  // Stored from Send OTP response
$smsId   = $_SESSION['otp_sms_id']; // Stored from Send OTP response

$params = http_build_query([
    'un'           => 'myuser',
    'pass'         => 'mypass',
    'mobile'       => '1XXXXXXXXX',
    'country_code' => '60',
    'method'       => 'verify',      // Must be 'verify'
    'code'         => $userOtp,
    'sms_id'       => $smsId,
    'uuid'         => $uuid,
    'interval'     => '3',           // OTP expires after 3 minutes
    'sendid'       => 'MyApp',
]);

$ch = curl_init('https://www.isms.com.my/2FA/request.php?' . $params);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
$result = curl_exec($ch);
curl_close($ch);

$data = json_decode($result, true);

if ($data['status'] === 'Verified') {
    echo 'OTP verified! User authenticated.';
    // Proceed with login / transaction
} else {
    echo 'Invalid OTP: ' . ($data['message'] ?? 'Verification failed');
}
✅ Verify OTP — Success
{
  "status":  "Verified",
  "uuid":    "1a1e1b86-4f2d-11eb-...",
  "sms_id":  "1171081605",
  "code":    "808902",
  "mobile":  "+601X-XXXXXXX"
}
❌ Verify OTP — Failed
{
  "status":  "Failed",
  "message": "Incorrect OTP Code",
  "uuid":    "1a1e1b86-4f2d-11eb-...",
  "sms_id":  "1171081605",
  "code":    "515296",
  "mobile":  "+601X-XXXXXXX"
}
Endpoint 3

Check Balance

Check your iSMS account credit balance and expiry date.

Sample Request URL
https://www.isms.com.my/2FA/request.php?un=myuser&pass=mypass&method=balance
ParameterTypeRequiredDescription
unStringRequirediSMS account username
passStringRequirediSMS account password
methodStringRequiredMust be balance
PHP · Check Balance
<?php

$params = http_build_query([
    'un'     => 'myuser',
    'pass'   => 'mypass',
    'method' => 'balance',
]);

$ch = curl_init('https://www.isms.com.my/2FA/request.php?' . $params);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
$result = curl_exec($ch);
curl_close($ch);

$data = json_decode($result, true);
echo 'Balance: ' . $data['balance'] . ' credits (Expires: ' . $data['expiration'] . ')';
Response
{"method":"balance","balance":"81.0","expiration":"29 Apr 2025"}
FieldDescription
methodEchoes back the request method — balance
balanceCurrent SMS credit balance
expirationAccount credit expiry date — credits are forfeited after this date
⚠️
Credit expiry: iSMS credits are valid for one (1) year from purchase date. Credits cannot carry forward and are forfeited upon expiry. Accounts inactive for more than 90 days after expiry will be terminated.

Need Help?

Contact our team — we'll guide you through setup and integration.

+ Free Sign Up
Send SMS by Language
Check SMS Balance
SMS Scheduler (PHP)
API & Developer
How-To Guides
WordPress / CRM
SMS Features
Company & Info

📱 SMS Coverage — All Countries Worldwide

A B C D E F G H I J K L M N O P Q R S T U V Y Z
Quick Links
Products
Pricing
Support