SMS setup
Configure SMS providers, failover, templates, and rate limits in the Console
This guide walks through enabling SMS for your Wocha tenant — from provider credentials to test delivery. SMS powers phone verification, SMS MFA enrolment, and consent-time step-up challenges.
Prerequisites
- A Wocha tenant with Console access
- An account with one or more SMS providers (Twilio, Vonage, MessageBird, or AWS SNS)
- A verified sender number or originator approved by your provider
Step 1 — Enable SMS
- Open the Console and navigate to Settings → SMS
- Toggle SMS enabled to on
- Select your primary provider from the dropdown
Each provider requires different credentials:
| Provider | Required fields |
|---|---|
| Twilio | Account SID, Auth Token, From Number (E.164) |
| Vonage | API Key, API Secret, From (sender ID or number) |
| MessageBird | API Key, Originator |
| AWS SNS | Access Key ID, Secret Access Key, Region, optional Sender ID |
Enter the credentials for your chosen provider and save.
Step 2 — Configure failover (optional)
Wocha automatically retries with a fallback provider when the primary fails with a retryable error (timeout, 5xx, rate limit).
- Under Failover provider, select a secondary provider
- Enter credentials for the fallback provider
- Save
Failover events are logged to the audit trail. The delivery dashboard shows per-provider success rates so you can monitor failover frequency.
Step 3 — Enable SMS MFA
If you plan to use SMS as an MFA factor:
- Toggle SMS MFA enabled to on
- Add
smsto your MFA policy allowed factors under Settings → Security → MFA Policy - Optionally set Preferred factor to
SMSfor users enrolled with multiple factors
SMS MFA requires users to verify a phone number before enrolment. See the Phone API reference for the verification flow.
Step 4 — Customise SMS templates
Navigate to Branding → Templates and select the SMS channel. Four template keys are available:
| Template key | Used for |
|---|---|
verification_code | Phone number verification |
login_code | Passwordless SMS login |
recovery_code | Account recovery via SMS |
mfa_code | MFA step-up challenges |
Template variables
| Variable | Description |
|---|---|
{{code}} | 6-digit OTP code |
{{app_name}} | Tenant display name |
{{expiry_minutes}} | Code validity period (default 15) |
Character limits
SMS messages are limited to 160 characters for a single segment. Messages exceeding 160 characters are split into multiple segments (up to 320 characters for two segments). The template editor shows a character counter with segment warnings.
Step 5 — Tune rate limits
Under Settings → SMS, configure:
| Setting | Default | Description |
|---|---|---|
| Per-phone limit | 5 / 15 min | Maximum OTPs sent to a single number |
| Daily limit | 1,000 / day | Maximum SMS volume per tenant per day |
These limits protect against SMS pumping (toll fraud) and runaway costs. The gateway also enforces a global circuit breaker that pauses delivery when a provider's error rate exceeds 50% over a 5-minute window.
Adjust limits via the Customer API:
Step 6 — Send a test SMS
- In Settings → SMS, scroll to Test delivery
- Enter a phone number in E.164 format (e.g.
+447911123456) - Click Send test SMS
A test OTP is sent using your configured primary provider. Check the delivery dashboard for the result. If the primary fails, failover to the secondary provider is attempted automatically.
Step 7 — Monitor delivery
The SMS Delivery Dashboard (under Settings → SMS or Risk & Fraud) shows:
- Delivery success/failure rate (24h, 7d, 30d)
- Per-provider delivery statistics
- Failed deliveries table (timestamp, phone hash, provider, error code)
- Monthly SMS volume
Delivery logs store hashed phone numbers (recipient_hash) — not plaintext E.164 values.
Self-hosted configuration
For self-hosted deployments, SMS provider credentials are stored in tenant_configs under
the sms key. The SMS Gateway package (@wocha/sms-gateway) reads this configuration at
runtime. Ensure Valkey is available for OTP storage and rate limiting.
Kratos SMS courier (for native login/recovery codes) requires separate TWILIO_*
environment variables on the Kratos service. See
SMS authentication for Kratos courier
setup.
Related
- SMS authentication guide — architecture and security
- Phone API reference — Account API phone endpoints
- SMS MFA API reference — MFA enrolment endpoints
- Adaptive MFA — phone risk signals at consent time