REST-first
Mobile apps call the same /api/v1 endpoints as servers. Store API keys securely (Keychain / Keystore), never embed secrets in the app binary for production.
Recommended flow
- Your backend provisions users via Connect or users sign up on SplitSMS.
- Backend issues short-lived tokens or proxies SMS send requests.
- Mobile app calls your backend; your backend calls SplitSMS.
For OTP, use POST /otp/send and POST /otp/verifyfrom your server with the user's country code for correct routing.