1. Home
  2. Gateway
  4. OAuth 2.0

OAuth 2.0

The sms77.io API can be used using the OAuth 2.0 protocol for authentication and authorization to allow users of your software an easy and direct integration of our service.


Using OAuth 2.0, your application can gain access rights to customers’ accounts in order to send API requests directly to us on their behalf. To do this, you must first register your application with us. You can currently only get this from our support. Please enter your redirect URL(redirect_uri). You will receive client_id and client_secret as your access data to our OAuth 2.0 API. All applications will now run according to the following pattern when accessing our API with OAuth 2.0:

  • First, you need to obtain authorization from the customer. To do this, you redirect them to a special page at our site, where the customer must log in and allow access to your application.
  • After confirming or denying the authorization request, the customer is sent back to your application. Provided the customer approves, your application will receive an authorization code.
  • With this authorization code, your application can retrieve the access token via our OAuth 2.0 API, which allows direct access to our APIs.

Access tokens have a limited lifetime of one hour by default. If your application needs access to our APIs beyond the lifetime of a single access token, it can retrieve new access tokens using your application’s refresh to ken.


1. Application setup

You will receive the following access tokens from us as credentials to the OAuth 2.0 API:

client_id testclient
client_secret testsecret

The redirect_uri you provide is https://acme.inc/oauth_redirect

2. Redirect customer to OAuth 2.0 authorization page

Redirect your customers to the following URL:


state is a random string and is used to avoid CSRF attacks.

scope is the requested scope you want to have access to from the customer – in this case sending SMS and requesting statistics.

3. Customer is sent back to your application

After the customer grants (or denies) authorization, we automatically redirect him to your redirect_uri with some additional GET parameters.

In case of success:


In case of failure:


You should definitely check here if state matches the value you created in the second step to avoid CSRF.

4. Retrieve access token

If everything has worked so far, you can now use the GET parameter code from step 3. to retrieve an access token as follows:

curl -u testclient:testpass https://oauth.sms77.io/token -d 'grant_type=authorization_code&code=9ccb478a7cbe043c1df211f1d52a6437f8756cf8'

You will get back data in JSON format as follows in case of success:

5. Refresh access token

To update the access token, call the OAuth 2.0 API as follows:

curl -u testclient:testpass https://oauth.sms77.io/token -d 'grant_type=refresh_token&refresh_token=ffd8e622aa5dccc2905f2ac6a0999c785a803157'

You will get back in success case data new token in JSON format as follows:

{"access_token": "worw5xlrl0sjwqkvmstibwn4pw0mdvpddljzkfi8", "expires_in":3600, "token_type": "Bearer", "scope": "sms", "refresh_token": "n94c2kyej8ycsjutmviuk8i6zebgsda0uzg2gbpn"}
6. Accessing our APIs

Call our APIs according to the respective documentation and send the access token in the Authorization header without any further encoding (no bas64 or similar).

curl https://gateway.sms77.io/api/sms -H 'Authorization: Bearer ACCESS_TOKEN'

Furthermore you can test the successful connection via OAuth 2.0 with the following call:

curl https://oauth.sms77.io/me -H 'Authorization: Bearer ACCESS_TOKEN'


    "success": true,
    "user_id": 12345,
    "email": "john.doe@acme.inc",
    "company": "Acme Inc",
    "alias": "acme_inc",
    "balance": "627.3615"


You can request the following scopes from the customer:

Scope Meaning
analytics Query statistics
balance Query balance
contacts Query and edit contacts
hooks Allow to change and view webhooks
journal Query your logbook
lookup Perform lookup requests (HLR, MNP etc.)
pricing Query prices of the account
sms Send SMS messages
status Query status report of SMS
subaccounts Edit and view subaccounts
validate_for_voice Verify phone numbers as originators for voice
voice Send voice messages

Multiple scopes can be specified using a url-coded blank character. If the scope is not specified or is empty, the default scope is used.

PHP Code sample

Here is a simple example in PHP.

In the first code, the OAuth URL is generated and the customer is redirected to it:


// Application credentials 
$client_id = 'testclient'; 
$client_secret = 'testsecret';


// Request authorization for sms, analytics and lookup endpoints. 
// Leave empty to allow all scopes
$requested_scopes = [

// Generate random string for state
$state = bin2hex(openssl_random_pseudo_bytes(10));

// Store state in session
$_SESSION['state'] = $state;

// Build authorization URI
$auth_uri = 'https://oauth.sms77.io/authorize?' .
    'response_type' => 'code',
    'client_id' => $client_id,
    'state' => $state,
    'scope' => implode(' ', $requested_scopes),

// Redirect User to OAuth authorization site
header('Location: ' . $auth_uri);

The second code is the page that runs under your redirect_uri. Here the authorization is checked and the tokens are retrieved:


// Application credentials 
$client_id = 'testclient'; 
$client_secret = 'testsecret';


// CSRF check failed
if($_GET['state'] != $_SESSION['state']) {
  die('CSRF check failed');

// An error occured during authorization
elseif(isset($_GET['error'])) {
  die('Error: ' . $_GET['error']);

// We got a code, send it to OAuth 2.0 API to get the tokens...
elseif(isset($_GET['code'])) {
  $post_vars = http_build_query([
    'grant_type' => 'authorization_code',
    'code' => $_GET['code'],

  $ch = curl_init();
  curl_setopt($ch, CURLOPT_USERPWD, $client_id . ":" . $client_secret);

  curl_setopt($ch, CURLOPT_URL, 'https://oauth.sms77.io/token');
  curl_setopt($ch, CURLOPT_POST, 1);
  curl_setopt($ch, CURLOPT_POSTFIELDS, $post_vars);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

  $response = curl_exec($ch);

  curl_close ($ch);

  $token = json_decode($response);

  // You should store the tokens here in order to make API calls
  die("Access Token: " . $token->access_token);