# WebSMS OTP example - Node.js

Node 18+ (uses built-in `fetch`). Express only used by the webhook receiver.

## Files
- `websms-client.js` - token cache + auto-refresh, send OTP, verify OTP
- `webhook.js` - Express endpoint receiving `mo` (replies) + `dlr` (delivery reports)
- `demo.js` - end-to-end runnable demo (phone form -> SMS -> verify, with WebOTP autofill)
- `package.json` - just `express` for the webhook + demo servers

## Quick start
```bash
npm install
cp .env.example .env   # then fill in your cid_/csk_ values
node webhook.js        # webhook server on :3000
```

## Try the demo
```bash
WEBSMS_CLIENT_ID=cid_... WEBSMS_CLIENT_SECRET=csk_... node demo.js
```
Open <http://localhost:3000/> in Chrome on a phone, enter the mobile number, receive the SMS, see Chrome offer the code as autofill into the verification field.

```js
const { WebSMSClient } = require('./websms-client');
const c = new WebSMSClient(process.env.WEBSMS_CLIENT_ID, process.env.WEBSMS_CLIENT_SECRET);

await c.sendOTP('6421234567', 'MyApp', null, 'Valid for 5 minutes.');
const ok = c.verifyOTP('6421234567', '482174');
```

## Notes
- Token + OTP storage is in-process (Map). Production: swap for Redis so multiple
  workers / hosts share state.
- `verifyOTP()` is single-shot and caps at 5 attempts.
- Provide your own `msgCode` (4-8 digits) if you need to control the value.