Developers

Authevo documentation

Verify your users on WhatsApp in two API calls. A single REST endpoint to send a one-time code, and one to verify it — no SDK to install.

Introduction

Authevo is a WhatsApp OTP verification API for Egypt and the wider MENA region. You send a one-time code to a phone number over WhatsApp, then verify the code your user typed back. That's the whole product.

Every request is a plain HTTPS call against a single base URL. Responses come back as JSON, wrapped in a predictable envelope, so the same two calls work in any language your backend already speaks.

Base URLhttps://api.authevo.dev

The two-call model

POST /v1/otp/send: Send a one-time code to a phone number.
POST /v1/otp/verify: Check the code the user entered.

Codes are delivered over WhatsApp, with automatic Telegram fallback if WhatsApp can't be reached — your integration code never changes.

Quickstart

Go from zero to a verified phone number in a couple of minutes.

Get an API key

Create an account and copy your secret key from the dashboard. Secret keys are prefixed with sk_live_ and authenticate every request.

Get your API key

Send and verify a code

Call the send endpoint with a phone number, then the verify endpoint with the code your user received. Pick your stack:

# 1. Send a one-time code over WhatsApp
curl -X POST https://api.authevo.dev/v1/otp/send \
  -H "Authorization: Bearer sk_live_…" \
  -H "Content-Type: application/json" \
  -d '{ "phone": "+201234567890" }'

# 2. Verify the code your user entered
curl -X POST https://api.authevo.dev/v1/otp/verify \
  -H "Authorization: Bearer sk_live_…" \
  -H "Content-Type: application/json" \
  -d '{ "phone": "+201234567890", "code": "123456" }'

Authentication

Authevo uses bearer authentication. Pass your secret key in the Authorization header on every request.

Authorization: Bearer sk_live_…

There are no other auth schemes — no OAuth, no sessions, no logins. A valid secret key is all a request needs.

Keep your secret key on the server

Secret keys grant full access to send and verify on your account. Never ship one in client-side or mobile app code, and never commit it to version control. Make Authevo calls from your backend, and rotate a key immediately if it leaks.

API reference

Two endpoints, both POST, both accepting and returning JSON. All requests must be authenticated.

Send OTP

POST/v1/otp/send

Generates a one-time code and delivers it to the phone number over WhatsApp. The code expires after the number of seconds returned in expires_in.

Parameter	Type	Required	Description
`phone`	`string`	Required	Recipient phone number in E.164 format, including the country code.

Request

cURL

curl -X POST https://api.authevo.dev/v1/otp/send \
  -H "Authorization: Bearer sk_live_…" \
  -H "Content-Type: application/json" \
  -d '{ "phone": "+201234567890" }'

Response

200 OK

{
  "data": {
    "message_id": "msg_9k2m4n8x",
    "status": "sent",
    "expires_in": 300
  }
}

A successful call returns the message identifier and a sent status.

Verify OTP

POST/v1/otp/verify

Checks the code your user entered against the one that was sent to their phone. Returns whether the code is valid.

Parameter	Type	Required	Description
`phone`	`string`	Required	The same phone number the code was sent to, in E.164 format.
`code`	`string`	Required	The 6-digit code the user received over WhatsApp.

Request

cURL

curl -X POST https://api.authevo.dev/v1/otp/verify \
  -H "Authorization: Bearer sk_live_…" \
  -d '{ "phone": "+201234567890", "code": "123456" }'

Response

200 OK

{ "data": { "verified": true } }

When the code matches and is still valid, verified is true. Otherwise the request fails with an error envelope.

Errors

Authevo uses standard HTTP status codes. Successful responses are wrapped in a data object; failures return an error object with a machine-readable code and a human-readable message.

422 Unprocessable Entity

{
  "error": {
    "code": "invalid_phone",
    "message": "The phone number is not a valid E.164 number."
  }
}

Status	Code	Meaning
`400`	`invalid_request`	The request body was malformed or missing a required field.
`401`	`invalid_api_key`	The Authorization header is missing or the secret key is invalid.
`402`	`insufficient_credits`	Your account has run out of verification credits.
`422`	`invalid_phone`	The phone number is not a valid E.164 number.
`429`	`rate_limited`	Too many requests. Slow down and retry after a short delay.

Always branch on the HTTP status and the error.code, not the message — messages may change.

Rate limits

Requests are rate limited per account. When you exceed the limit, the API responds with 429 rate_limited — back off and retry after a short delay.

Safety Floor

Beyond simple rate limits, the Safety Floor watches for abuse patterns and runaway spend, throttling suspicious traffic before it costs you. It works automatically — there is nothing to configure.