Security Guide

SMS Security & Compliance Guide

API security, data protection, DLT compliance, and regulatory requirements — everything you need to keep your SMS operations secure and compliant.

Security Layers

4 Layers of SMS Security

🔑

API Authentication

Bearer token authentication, IP whitelisting, and API key rotation protect your account from unauthorized access.

  • Bearer token auth on every request
  • IP whitelisting (restrict to your servers)
  • Rotate API keys every 90 days
  • Separate keys for production vs. sandbox
🔒

Data in Transit

All API communication is encrypted with TLS 1.2+. We enforce HTTPS — plain HTTP requests are rejected.

  • TLS 1.2 / 1.3 encryption enforced
  • HTTP requests automatically rejected
  • Certificate pinning supported
  • HSTS headers on all responses
🛡️

Data at Rest

Message content is encrypted at rest and automatically purged after the retention period. No plain-text storage.

  • AES-256 encryption for stored data
  • Automatic data purge after 90 days
  • Configurable retention periods
  • No plain-text message logging
📊

Audit & Monitoring

Complete audit trail of all API calls, login events, and configuration changes. Real-time alerting for suspicious activity.

  • Full API call audit log
  • Login attempt tracking
  • Anomaly detection alerts
  • Download audit reports for compliance
Compliance

Regulatory Compliance

🇮🇳

TRAI / DLT

Full compliance with TRAI's DLT framework — entity registration, sender ID management, and template matching. Read our DLT guide →

🔐

Data Protection

Compliant with India's IT Act and Digital Personal Data Protection Act. Data residency within India.

🌍

International Standards

Aligned with GDPR principles for EU customers. ISO 27001-aligned security practices and SOC 2 Type II controls.

Developer Guide

Security Best Practices for Developers

PHP — Secure API Key Storage
<?php
// ❌ WRONG — Never hardcode API keys
$apiKey = 'sk_live_abc123xyz';

// ✅ CORRECT — Use environment variables
$apiKey = $_ENV['SMS_API_KEY'] ?? getenv('SMS_API_KEY');

// ✅ EVEN BETTER — Use a secrets manager
$apiKey = (new VaultClient())->getSecret('sms/api_key');
PHP — Input Validation
<?php
function sanitizePhone(string $phone): string {
    // Remove non-numeric characters
    $clean = preg_replace('/[^0-9]/', '', $phone);
    
    // Validate Indian mobile number (10 digits or 91 prefix)
    if (strlen($clean) === 10) {
        $clean = '91' . $clean;
    }
    
    if (!preg_match('/^91[6-9][0-9]{9}$/', $clean)) {
        throw new InvalidArgumentException('Invalid Indian phone number');
    }
    
    return $clean;
}

// Sanitize message content
function sanitizeMessage(string $msg): string {
    return htmlspecialchars(trim($msg), ENT_QUOTES, 'UTF-8');
}
PHP — Webhook Signature Verification
<?php
function verifyWebhookSignature(string $payload, string $signature): bool {
    $secret = $_ENV['SMS_WEBHOOK_SECRET'];
    $expected = hash_hmac('sha256', $payload, $secret);
    
    // Timing-safe comparison to prevent timing attacks
    return hash_equals($expected, $signature);
}

// In your webhook handler:
$payload   = file_get_contents('php://input');
$signature = $_SERVER['HTTP_X_SMS_SIGNATURE'] ?? '';

if (!verifyWebhookSignature($payload, $signature)) {
    http_response_code(401);
    exit('Invalid signature');
}
Checklist

Security Implementation Checklist

🔐 API Security

  • Store API keys in environment variables or secrets manager
  • Whitelist server IPs in dashboard settings
  • Use separate API keys for dev, staging, production
  • Rotate keys every 90 days
  • Monitor API usage for anomalies
  • Implement rate limiting on your end

📱 Message Security

  • Validate phone numbers before sending
  • OTPs should expire within 5–10 minutes
  • Limit OTP retries (max 3 per session)
  • Never include sensitive data in SMS body
  • Use dynamic IDs instead of personal info in links
  • Log message IDs but not message content

🔄 Webhook Security

  • Verify webhook signatures on every request
  • Use HTTPS for webhook endpoints
  • Validate the request origin IP
  • Process webhooks idempotently (handle duplicates)
  • Respond with 200 promptly, process async

📋 Compliance

  • Complete DLT registration before sending
  • Include opt-out instructions in promotional SMS
  • Maintain consent records for marketing messages
  • Respect DND preferences
  • Keep audit logs for regulatory review

Enterprise-Grade Security, Built In

OnlineSMSService includes all security features at no extra cost. Start your secure messaging journey today.

Get Started View Pricing →