Forum Discussion

cd's avatar
Icon for Cirrus rankCirrus
Jul 10, 2019

OTP SMS with API (SMS Gateway)


I'd like to do OTP SMS via an HTTP API

I'm reading this link but is it still up to date (February,2011) ? the VPE is still OK or maybe they are news things..


Should I still need the iRule (It doesn't seem to be working (BIG IP v12.1.3.7)) ? Or can I use the OTP GENERATE object rather ?

Second thing I don't understand the use of "Variable Asssign HTTP", same for the username variable





  • Hi cd,


    I'm using a hardware device SMSEagle as my SMS gateway with APM.


    As Neils rightly said above, there is no need to use an iRule.


    I'm using these VPE agents in this particular sequence:


    OTP Generate

    HTTP Auth (to send the OTP as SMS)

    Logon Page (to collect the OTP)

    OTP Verify


    Please refer to attached screenshots.


    I hope it helps.







11 Replies

  • Hi cd,


    I'm using a hardware device SMSEagle as my SMS gateway with APM.


    As Neils rightly said above, there is no need to use an iRule.


    I'm using these VPE agents in this particular sequence:


    OTP Generate

    HTTP Auth (to send the OTP as SMS)

    Logon Page (to collect the OTP)

    OTP Verify


    Please refer to attached screenshots.


    I hope it helps.







  • It looks like your F5 might be blocked by a firewall or router when trying to reach the SMS GW? Also check from which interface the calls are being sourced when APM initiates the connection.


    BR, Marcus

  • It seems the documentation you are referring to is a little outdated. You don't need to use the iRule to create an OTP. Just use the 'OTP Generate' agent in the VPE.


    The 'Variable Assign HTTP' is being used to match the AAA HTTP sms_auth object. You can see the fields 'Form Parameter for User Name' being set to 'to' and the 'Form Parameter for Password' being set to 'text'. These fields are being read from 'session.logon.last.username' and 'session.logon.last.password'.


    Which SMS gateway are you using? If using MessageBird you could also use this code:



    Note that there are also other code snippets available for other SMS gateway providers.


  • Even with the "?" it still dosent work:

     > Session variable 'session.http.last.errmsg' set to 'Curl perform failed: Couldn't connect to server'

    I tried with GET or POST METHOD


    Using Postman the curl is working in POST METHOD


    BODY >messageText=test+Message+1&destinationAddress=33611223344&username=xxxxxxxt&password=xxxxx

     WITH HEADER> Accept:application/json and Content-Type:application/x-www-form-urlencoded

    From F5 it doesn't work

    curl -vkX POST -d 'messageText=REST+test4&destinationAddress=33611223344&username=xxxxxx&password=xxxxxxx'

    * About to connect() to port 443 (#0)

    *  Trying Connection refused

    * couldn't connect to host

    * Closing connection #0

    curl: (7) couldn't connect to host



    I tried the curl command from an other linux server and it's working but not from the F5 :/

  • Yeah it's worked finally but I needed to use a custom post in AAA HTTP Server and use un custom body. Also add custom headers with "Accept:application/json and Content-Type:application/x-www-form-urlencoded"

    • Md__Maksudur_Ra's avatar
      Icon for Nimbostratus rankNimbostratus

      Dear CD,

      thanks for sharing your knowledge. Have you any step-by-step documents for this solution? Let me explain a little my scenario first. 

      I do have a BIG-IP VE  ver 16+ WAF, I want to publish a virtual server, where OTP SMS will be generated by my own SMS Windows gateway. Please share any doc for this MFA Deployment with AD Authentication.


  • Hi CD, I also have to use a custom post and have some trouble getting it to work. Were you able to use variables in your custom post?

  • One-time password (OTP) SMS is a method of authenticating a user by sending a unique code to their phone via SMS, which the user can then enter to confirm their identity. This can be useful for adding an extra layer of security to online accounts or transactions.

    To send OTP SMS messages using an API (Application Programming Interface), you will need to use an SMS gateway service that provides an API for sending SMS messages. There are many SMS gateway providers that offer API access, and the specific details of how to use the API will depend on the provider you choose.

    Generally, you will need to sign up for an account with an SMS gateway provider and obtain API credentials (such as an API key or token) that you can use to authenticate your API requests. You will then be able to use the API to send SMS messages to phone numbers that you specify, including OTP messages.

    For example, you might use the API to send an OTP message to a user's phone number when they request to reset their password on your website. The user would then enter the OTP code they receive via SMS to confirm their identity and complete the password reset process.

    It's important to note that you will need to ensure that you are compliant with any relevant laws and regulations regarding the use of SMS messages, including obtaining the necessary consent from users before sending them SMS messages.

    Source: SMSala 

  • Denn's avatar
    Icon for Nimbostratus rankNimbostratus

    I wanted to start a discussion about OTP SMS with API, specifically related to SMS Gateways. It's a crucial topic for anyone working on applications or services that require secure and reliable user verification. So, let's dive right into it and share our thoughts, experiences, and tips!

    Message Central: "OTP (One-Time Password) verification is essential for maintaining security in various online platforms. Using SMS as a delivery method has been a common choice. Let's explore how SMS Gateways and APIs play a role in this process."

    To kick things off, here are a few questions and points to consider:

    1. Choosing the Right SMS Gateway Provider: How do you select the right SMS Gateway provider for your project? What factors do you consider, such as pricing, reliability, and global coverage?

    2. Integration with APIs: What APIs have you used or integrated into your projects for sending OTP SMS? Have you encountered any challenges or found any particular APIs to be exceptionally easy to work with?

    3. Security Concerns: OTP is all about security. How do you ensure that the OTP SMS delivery is secure and that the codes aren't intercepted by malicious actors during transmission?

    4. Delivery Reliability: What strategies or best practices do you follow to ensure that OTP SMS messages are delivered reliably and promptly, even in challenging network conditions?

    5. User Experience: How do you balance the need for security with a smooth user experience? What methods or user-friendly practices have you employed to make OTP verification hassle-free for users?

    6. Regulatory Compliance: Are there any specific regulatory requirements in your region or industry that you need to adhere to when sending OTP SMS messages? How do you handle compliance issues?

    Please feel free to share your experiences, insights, and recommendations related to OTP SMS with API and SMS Gateways. Let's learn from each other and make the user verification process as secure and user-friendly as possible!

    Happy discussing! 🚀