Webhook Integration for Real-Time SMS Events
June 19, 2026
Configure SMSTwins signed webhooks for activation and SMS events. Validate HMAC-SHA256 signatures, handle retries, and automate OTP capture in your backend.
Polling the SMSTwins API works for small scripts; production systems and CI harnesses need webhooks — HTTP callbacks the moment an OTP arrives or an activation changes state. Real-time events reduce latency, eliminate polling rate consumption, and simplify parallel QA.
What webhooks deliver
SMSTwins sends signed POST requests to your configured URL for events including:
- Inbound SMS with raw body and parsed OTP
- Activation status transitions (waiting, received, completed, expired, cancelled)
- Refund-related state changes after timeout
Payloads include activation IDs, service names, countries, and timestamps for idempotent processing.
Configuration
Open Webhooks in dashboard settings:
- Enter your HTTPS endpoint URL
- Note the signing secret for signature validation
- Save and trigger a test activation to verify delivery
Use separate endpoints or secrets per environment — staging versus production QA — to prevent cross-contamination.
Signature validation
Every request includes X-SMSTwins-Signature — HMAC-SHA256 over the raw request body using your webhook secret. Reject requests with invalid signatures before parsing JSON.
Never log signing secrets. Rotate secrets if exposure is suspected.
Retry behavior
Transient failures on your server trigger retries with exponential backoff. Return 2xx quickly after enqueueing work; process OTP asynchronously to avoid timeout retries.
Implement idempotency keys using activation ID plus event type so duplicate deliveries do not double-charge internal workflows.
Example processing flow
- Validate signature
- Parse event type
- If SMS received, extract parsed OTP and push to test queue or user session store
- Acknowledge with HTTP 200
- Background worker completes verification step in app under test
Developer and QA benefits
Webhook-driven suites scale horizontally — multiple CI jobs consume OTP events from a shared queue fed by one webhook endpoint. Latency metrics between platform SMS send and webhook receipt help track regression.
Pair webhooks with automatic refunds awareness: expired activations emit state events your cleanup jobs should handle.
Security hardening
- Require HTTPS only
- Restrict source IPs if your infrastructure supports allowlists
- Validate event timestamps against replay windows
- Scope webhook secrets per team or project
SMSTwins ecosystem fit
Webhooks complement REST activation APIs and the SMSTwins Simple API. Together they provide full lifecycle automation for SMS verification across non-VoIP numbers in 180+ countries.
Webhook integration transforms SMSTwins from a manual OTP dashboard into real-time infrastructure for developers, QA teams, and automated registration testing — professional SMS verification without polling loops.