# WebSMS OTP example - PHP

Plain PHP, no framework, no Composer. Requires PHP 7.4+ with `ext-curl`.

## Files
- `WebSMSClient.php` - token cache + auto-refresh, send OTP, verify OTP
- `webhook.php` - drops in as your `/webhook` endpoint (handles `mo` + `dlr`)
- `demo.php` - end-to-end runnable demo (phone form -> SMS -> verify, with WebOTP autofill)

## Try the demo
```bash
WEBSMS_CLIENT_ID=cid_... WEBSMS_CLIENT_SECRET=csk_... php -S localhost:8000 demo.php
```
Open <http://localhost:8000/> in Chrome on a phone, enter the mobile number, receive the SMS, see Chrome offer the code as autofill into the verification field.

## Quick start
1. Create an API key at https://websms.co.nz/members/api-keys.php and copy the
   `client_id` (`cid_...`) and `client_secret` (`csk_...`) into your env.
2. Set the webhook URL to point at `webhook.php` from the same dashboard.
3. Send a code:
   ```php
   require 'WebSMSClient.php';
   $c = new WebSMSClient(getenv('WEBSMS_CLIENT_ID'), getenv('WEBSMS_CLIENT_SECRET'));
   $c->sendOTP('6421234567', 'MyApp', null, 'Valid for 5 minutes.');
   ```
4. Verify what the user typed:
   ```php
   $ok = $c->verifyOTP('6421234567', $_POST['code']);
   ```

## Notes
- Tokens cached in the system tmp dir (`/tmp/websms_token_*.json`). For multi-host
  deployments swap the storage helpers for Redis/DB.
- `verifyOTP()` is single-shot (correct code is consumed) and capped at 5 attempts.
- Pass your own `msgCode` to `sendOTP()` if you need to control the code value
  (must be 4-8 digits, numeric).