REST OAuth API for Secure SMS Integration
Use the SMSGatewayCenter REST OAuth API when you want customers, team members, or connected apps to sign in with their SMS Gateway Center account and authorize your application to send SMS, read templates, check balance, and use other SMS REST APIs on their behalf. This guide explains the public OAuth 2.0 flow with PKCE for developers building web apps, automation platforms, AI connectors, and custom integrations in India and worldwide.
OAuth is ideal when you do not want users to paste API keys manually. After sign-in, your application receives short-lived and refreshable tokens that can be used with the same SMS REST endpoints documented in this developer portal.
Overview
The REST OAuth API follows the OAuth 2.0 Authorization Code flow with PKCE (Proof Key for Code Exchange). This is the recommended approach for web applications, SaaS products, automation tools, and server-side integrations where your app opens a browser for user sign-in.
Important: A successful login does not return JSON directly to your app. The user browser is redirected to your registered redirect URI (callback URL) with an authorization code. Your application must handle that callback and call the token endpoint to obtain the access token.
If you only need direct server-to-server access with your own account credentials, you can also use the standard API authentication guide with API key or userid and password.
Authorization flow
- Your application redirects the user to the authorize endpoint with
client_id,redirect_uri,state, and PKCE values. - The user signs in on the SMS Gateway Center authorization page. If OTP login is enabled on the account, the user completes OTP or Google Authenticator verification.
- After successful authentication, the platform issues an authorization code and redirects the browser to your callback URL:
https://your-app.com/oauth/callback?code=AUTHORIZATION_CODE&state=YOUR_STATE - Your callback handler validates
state, then sends a server-side POST request to the token endpoint with thecode,code_verifier,client_id,client_secret, and the sameredirect_uri. - The token response returns
access_token,refresh_token, andusername. Use the access token when calling SMS REST APIs on behalf of the signed-in user.
Prerequisites
- OAuth client registration: Contact our support team to register your application. You will receive a
client_id,client_secret, and one or more allowedredirect_urivalues. - HTTPS callback URL: Production callback URLs must use HTTPS. The redirect URI in your authorize request must exactly match a registered callback URL.
- PKCE support: Generate a
code_verifierandcode_challengefor each authorization attempt. OnlyS256challenge method is supported. - State parameter: Generate a random
statevalue per request and validate it in your callback handler to prevent CSRF attacks. - Active SMS Gateway Center account: The signing-in user must have a valid account with SMS API access enabled.
API endpoints
| Endpoint | Method | Purpose |
|---|---|---|
https://unify.smsgateway.center/rest/oauth/v1/authorize | GET | Start user sign-in and authorization |
https://unify.smsgateway.center/rest/oauth/v1/token | POST | Exchange authorization code or refresh token for tokens |
https://unify.smsgateway.center/rest/oauth/v1/revoke | POST | Revoke a refresh token or access token |
https://unify.smsgateway.center/rest/oauth/v1/introspect | POST | Check whether an access token is active and resolve the account username |
Step 1: Start authorization
Redirect the user browser to the authorize endpoint with these query parameters:
| Parameter | Required | Description |
|---|---|---|
response_type | Yes | Must be code. |
client_id | Yes | Your registered OAuth client ID. |
redirect_uri | Yes | Your registered callback URL. Must match exactly. |
state | Yes | Random value used for CSRF protection. Validate it in your callback. |
code_challenge | Yes | Base64 URL-encoded SHA-256 hash of your code_verifier. |
code_challenge_method | Recommended | Must be S256. |
scope | No | Optional scope string if configured for your client. |
prompt | No | Set to login to always show the sign-in form. |
Example authorize request:
curl -i -G "https://unify.smsgateway.center/rest/oauth/v1/authorize" \--data-urlencode "response_type=code" \--data-urlencode "client_id=YOUR_CLIENT_ID" \--data-urlencode "redirect_uri=https://your-app.com/oauth/callback" \--data-urlencode "state=random-state-value" \--data-urlencode "code_challenge=YOUR_CODE_CHALLENGE" \--data-urlencode "code_challenge_method=S256" \--data-urlencode "prompt=login"A valid request returns the HTML sign-in page (HTTP 200). The user completes login on that page.
Step 2: Handle the callback redirect
After successful authentication, the platform redirects the user browser to your registered redirect_uri with these query parameters:
| Parameter | Description |
|---|---|
code | Short-lived authorization code. Exchange it immediately at the token endpoint. |
state | Must match the state value you sent in Step 1. |
Example successful redirect:
HTTP/1.1 302 Found
Location: https://your-app.com/oauth/callback?code=AUTHORIZATION_CODE&state=random-state-valueYour callback handler must:
- Verify that
statematches the value stored for this authorization attempt. - Read the
codequery parameter. - Call the token endpoint from your server only. Never exchange the code from browser JavaScript.
- Store tokens securely and redirect the user to your application success page.
Note: Authorization codes expire quickly. Exchange the code as soon as your callback receives it.
Step 3: Exchange code for tokens
Send a server-side POST request to the token endpoint using application/x-www-form-urlencoded:
| Parameter | Required | Description |
|---|---|---|
grant_type | Yes | Must be authorization_code. |
client_id | Yes | Your OAuth client ID. |
client_secret | Yes | Your OAuth client secret. |
code | Yes | Authorization code from the callback URL. |
redirect_uri | Yes | Must be the same redirect URI used in Step 1. |
code_verifier | Yes | The original PKCE verifier used to create code_challenge. |
curl -s -X POST "https://unify.smsgateway.center/rest/oauth/v1/token" \-H "Content-Type: application/x-www-form-urlencoded" \--data-urlencode "grant_type=authorization_code" \--data-urlencode "client_id=YOUR_CLIENT_ID" \--data-urlencode "client_secret=YOUR_CLIENT_SECRET" \--data-urlencode "code=AUTHORIZATION_CODE_FROM_CALLBACK" \--data-urlencode "redirect_uri=https://your-app.com/oauth/callback" \--data-urlencode "code_verifier=YOUR_CODE_VERIFIER"Example success response (HTTP 200):
{
"access_token": "your-sms-api-key",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "opaque-refresh-token-value",
"username": "your-user-id",
"scope": ""
}The access_token authorizes SMS REST API calls on behalf of the signed-in user. The username value is the SMS Gateway Center user ID required on SMS API requests.
Token storage and lifetimes
| Token | Lifetime | Recommended use |
|---|---|---|
| Authorization code | 10 minutes | Do not store. Read from the callback URL and exchange immediately. |
| Access token | 3600 seconds (1 hour) | Store securely on your server. Use it when calling SMS REST APIs. |
| Refresh token | 30 days | Store securely on your server. Use it to obtain a new access token without asking the user to sign in again. |
When a user disconnects your app or logs out, call the revoke endpoint with the refresh token to end the authorized session.
Step 4: Refresh an access token
Before the access token expires, or after you receive an authentication error from SMS APIs, request a new access token using the stored refresh token:
curl -s -X POST "https://unify.smsgateway.center/rest/oauth/v1/token" \-H "Content-Type: application/x-www-form-urlencoded" \--data-urlencode "grant_type=refresh_token" \--data-urlencode "client_id=YOUR_CLIENT_ID" \--data-urlencode "client_secret=YOUR_CLIENT_SECRET" \--data-urlencode "refresh_token=YOUR_REFRESH_TOKEN"Example refresh success response (HTTP 200):
{
"access_token": "your-sms-api-key",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "",
"username": "your-user-id",
"scope": ""
}On refresh, a new access_token is returned. The same refresh_token remains valid until it expires or is revoked.
If refresh fails with invalid_grant, the refresh token has expired or been revoked. Redirect the user through the authorize flow again.
Step 5: Revoke tokens
Revoke the refresh token when the user logs out of your application or disconnects the integration:
curl -s -X POST "https://unify.smsgateway.center/rest/oauth/v1/revoke" \-H "Content-Type: application/x-www-form-urlencoded" \--data-urlencode "client_id=YOUR_CLIENT_ID" \--data-urlencode "client_secret=YOUR_CLIENT_SECRET" \--data-urlencode "refresh_token=YOUR_REFRESH_TOKEN"Example revoke success response (HTTP 200):
{
"revoked": true
}Step 6: Call SMS APIs after OAuth
After OAuth completes, use these two values together on every SMS REST API call:
| OAuth token response field | How to use it on SMS APIs |
|---|---|
access_token | Send as apikey header or Authorization: Bearer ACCESS_TOKEN. |
username | Send as the userid query or form parameter on every SMS API request. |
Important: OAuth does not replace the SMS API request format. You still call the same SMS REST endpoints documented in this developer portal. OAuth only replaces manual password or API key entry with a user sign-in flow.
Always include userid=USERNAME_FROM_TOKEN_RESPONSE and output=json in the SMS API request.
Example: Check SMS balance
curl -s -G "https://unify.smsgateway.center/SMSApi/account/readstatus" \--data-urlencode "userid=YOUR_USERNAME" \--data-urlencode "output=json" \-H "Authorization: Bearer YOUR_ACCESS_TOKEN"Example: Read SMS templates
curl -s -G "https://unify.smsgateway.center/SMSApi/template/read" \--data-urlencode "userid=YOUR_USERNAME" \--data-urlencode "output=json" \-H "Authorization: Bearer YOUR_ACCESS_TOKEN"To fetch one template by ID, add id=TEMPLATE_ID to the query string.
Example: Send SMS (quick send)
curl -s -X POST "https://unify.smsgateway.center/SMSApi/send" \-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \-H "Content-Type: application/x-www-form-urlencoded" \--data-urlencode "userid=YOUR_USERNAME" \--data-urlencode "output=json" \--data-urlencode "sendMethod=quick" \--data-urlencode "mobile=919999999999" \--data-urlencode "senderid=YOUR_SENDER_ID" \--data-urlencode "msg=Your order is ready." \--data-urlencode "msgType=text" \--data-urlencode "duplicatecheck=true"If your account uses DLT in India, include the approved dltTemplateId and dltEntityId values documented in the SMS API section. See also our Send SMS API guide for additional parameters.
Token introspection (optional)
If your application receives only a bearer token and needs to resolve the account username before calling SMS APIs, use the introspection endpoint:
curl -s -X POST "https://unify.smsgateway.center/rest/oauth/v1/introspect" \-H "Content-Type: application/x-www-form-urlencoded" \--data-urlencode "token=YOUR_ACCESS_TOKEN"Example active token response:
{
"active": true,
"username": "your-user-id",
"token_type": "Bearer"
}Use the returned username as the SMS API userid parameter.
Third-party integrations
All OAuth-connected apps follow the same pattern after sign-in:
- Complete the OAuth authorize and token exchange on your server.
- Store
access_token,refresh_token, andusernamesecurely. - Refresh the access token before it expires.
- Call SMS APIs with
userid=usernameand the current access token as bearer orapikeyheader.
| Integration type | What to implement |
|---|---|
| Zapier, Make, and automation platforms | Run OAuth once per connected account, store tokens server-side, then attach bearer auth and userid on each SMS action. |
| ChatGPT and AI connectors | Complete OAuth during connector setup, store tokens securely, and use bearer auth plus userid when calling SMS APIs from your app backend. |
| Custom web and mobile apps | Implement authorize, callback, token, refresh, and revoke on your server. Never expose client secrets or tokens in client-side code. |
OTP and two-factor login during OAuth
If the signing-in user has OTP login enabled, the authorization page follows the same rules as the standard account login:
- User enters User ID and password.
- If OTP is required, the user selects an OTP medium such as Email, SMS, WhatsApp, or Google Authenticator when configured.
- User enters the OTP code.
- After OTP verification succeeds, the platform redirects to your callback URL with the authorization code.
If OTP is not enabled on the account, successful password validation redirects directly to your callback URL.
Security requirements
- Always use HTTPS for production callback URLs.
- Never expose
client_secretor tokens in client-side JavaScript or mobile app packages. - Validate
stateon every callback. - Store
code_verifiersecurely until the token exchange completes. - Exchange authorization codes only from your server.
- Use
prompt=loginwhen you need to force a fresh sign-in. - Revoke tokens when the user disconnects your application.
Common errors
OAuth error responses use this JSON format:
{
"error": "error_code",
"error_description": "Human readable message."
}| Error | Typical cause |
|---|---|
invalid_request | Missing or invalid authorize or token parameters. |
invalid_client | Unknown client ID, wrong client secret, or redirect URI not registered. |
invalid_grant | Authorization code expired, already used, or PKCE verifier mismatch. |
unsupported_response_type | response_type is not code. |
unsupported_grant_type | Token grant type is not supported. |
If token exchange fails with invalid_grant immediately after login, verify that your callback URL matches the registered redirect URI exactly, that the authorization code was exchanged promptly, and that your PKCE code_verifier matches the original challenge.
Frequently asked questions
apikey header together with the userid parameter.userid value returned as username in the token response.Need OAuth client credentials? Contact our support team with your application name, callback URL, and use case. You can also explore the rest of our SMS API documentation for send, templates, reports, and more.
Testimonials
Why do Great Businesses Trust SMS Gateway Center?

