Skip to main content
The Session API lets you send and validate one-time passwords (OTP) for two-factor authentication (2FA) using SMS and voice channels. API Endpoint

The Session Object

The API creates a Session object once for each recipient within the code expiry time. A session can have multiple attempts to deliver the OTP.

Attributes

session_uuid
string
A 36-character string that uniquely identifies a session.
app_uuid
string
ID of the application used to trigger the session.
alias
string
Alias of the Verify application used to trigger the session.
recipient
string
The destination phone number (in E.164 format).
destination_country_iso2
string
ISO 3166-1 alpha-2 country code of the destination number. Example: IN.
destination_network
string
Carrier network detected for the destination number.
requestor_ip
string
IP address from which the session creation request originated.
status
string
Current status. Values: in-progress, verified, expired.
channel
string
The last channel used for the session.
locale
string
Language translation used for the session.
otp_attempts
object
Details of all attempts made during a session.
charge
object
Details of all charges incurred during a session.
created_at
string
UTC time when the session was created.
updated_at
string
UTC time when the session was last updated.

Create a Session

Send an OTP via SMS or voice.

Arguments

recipient
string
required
The phone number to send the OTP to.
app_uuid
string
UUID of the Verify application. Defaults to default application.
channel
string
Delivery channel. Values: sms, voice. Default: sms.
url
string
URL for status callbacks.
method
string
HTTP method for callbacks. Values: GET, POST. Default: POST.
locale
string
Language code (e.g., en_US, es, fr_FR). Default: en.
brand_name
string
Brand name to replace ${brand_name} in templates.
app_hash
string
Android app hash for SMS Retriever API integration.
code_length
integer
OTP length (4-8). Overrides application default.

Example

Response

api_id
string
Unique identifier for the API request.
message
string
Status of the request. Returns Session initiated on successful session creation.
session_uuid
string
A 36-character string that uniquely identifies a session.

Validate a Session

Validate the OTP entered by the user.

Arguments

otp
string
required
The OTP to validate.
You can attempt no more than 10 validations per session to prevent brute-force attacks.

Example

Response

api_id
string
Unique identifier for the API request.
message
string
Status of the request. Returns session validated successfully. on a successful validation.

Retrieve a Session

Get details of a specific session.

Example

Response

api_id
string
Unique identifier for the API request.
session_uuid
string
A 36-character string that uniquely identifies a session.
app_uuid
string
ID of the application used to trigger the session.
recipient
string
The destination phone number (in E.164 format).
channel
string
The last channel used for the session.
status
string
Current status. Values: in-progress, verified, expired.
attempt_details
array
Details of all attempts made during the session.
charges
object
Details of all charges incurred during the session.
created_at
string
UTC time when the session was created.
updated_at
string
UTC time when the session was last updated.

List All Sessions

Retrieve a list of sessions based on filter criteria over the last 90 days.
The default rate limit is 20 requests per minute. Exceeding this limit returns “too many requests” error.

Query Parameters

app_uuid
string
Filter by application UUID.
status
string
Filter by status. Values: in-progress, verified, expired.
recipient
string
Filter by destination number (E.164 format).
subaccount
string
Filter by subaccount.
limit
integer
Results per page. Max: 20. Default: 20.
offset
integer
Number of results to skip. Default: 0.
session_time
string
Filter by session initiation time. Format: YYYY-MM-DD HH:MM. Supports variants: session_time__gt, session_time__gte, session_time__lt, session_time__lte.
brand_name
string
Filter by brand name.
app_hash
string
Filter by app hash.

Example

Response

api_id
string
Unique identifier for the API request.
meta
object
Pagination metadata: limit (results per page), offset (items skipped), and next/previous page URLs.
sessions
array
Array of session objects — see The Session Object.

Status Callbacks

Set up a server endpoint to receive real-time status updates for your verification sessions. Specify the callback URL when creating a session.

Callback Attributes

SessionUUID
string
Unique session identifier.
SessionStatus
string
Session status. Values: in-progress, expired.
AttemptUUID
string
Unique identifier for the SMS/call attempt.
AttemptSequence
string
Sequence number of the attempt.
Channel
string
Channel used. Values: sms, voice.
ChannelStatus
string
Attempt status. SMS: queued, sent, delivered, failed, undelivered. Voice: in-progress, completed, ringing.
ChannelErrorCode
string
Error code from the channel.
Recipient
string
Destination phone number.
RequestTime
string
UTC time when the attempt was created.

Callback Behavior

Plivo automatically retries webhooks three times if HTTP 200 is not returned:
  • First retry: 60 seconds after original attempt
  • Second retry: 120 seconds after first retry
  • Third retry: 240 seconds after second retry

  • Overview - Quick start guide and concepts