HonkIOHonk.IO

Getting started

Send your first Canadian SMS in under 5 minutes.

Quickstart

  1. Create a free account — get live and test API keys instantly.
  2. Record CASL consent for each phone number you'll message.
  3. Optionally provision a Canadian long code number to send from.
  4. Send your first message using the REST API.

Authentication

All API requests require a Bearer token in the Authorization header. Use test keys (mk_test_...) for development — no real SMS are sent, no charges. Use live keys (mk_live_...) for production.

⚠️ Never expose API keys in client-side code or public repositories.

Phone Numbers

Search for available Canadian numbers, provision one, and use it as the from field when sending.

bash
curl https://api.honkio.ca/v1/phone-numbers/search?area_codes=416 \
  -H "Authorization: Bearer mk_live_YOUR_KEY"

# Provision a number
curl -X POST https://api.honkio.ca/v1/phone-numbers \
  -H "Authorization: Bearer mk_live_YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{"phone_number": "+14165550100"}'

CASL Consent (required before sending)

Under CASL, you must record consent before sending a commercial message to any recipient. The API will block sends to phone numbers without valid consent (HTTP 451).

bash
curl -X POST https://api.honkio.ca/v1/compliance/consents \
  -H "Authorization: Bearer mk_live_YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "phone_number": "+16135550199",
    "consent_type": "express",
    "source_description": "Website opt-in form",
    "source_ip": "203.0.113.1"
  }'

Express consent never expires. Implied consent expires after 2 years per CASL §10(9).

Sending SMS

Send a message using a provisioned number. The API validates the Canadian destination number, checks CASL consent, and checks the DNCL before delivery.

bash
curl -X POST https://api.honkio.ca/v1/messages \
  -H "Authorization: Bearer mk_live_YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "from": "+14165550100",
    "to":   "+16135550199",
    "body": "Hello from HonkIO! 🇨🇦"
  }'

Phone Number Verification (OTP)

Use the Verify API to confirm ownership of a phone number before sending commercial messages. Your end-user receives a one-time code via SMS; submit it to the check endpoint to confirm.

bash
# Start a verification (sends OTP SMS)
curl -X POST https://api.honkio.ca/v1/verify   -H "Authorization: Bearer mk_live_YOUR_KEY"   -H "Content-Type: application/json"   -d '{
    "from": "+14165550100",
    "to":   "+16135550199",
    "code_length": 6,
    "ttl_minutes": 10,
    "app_name": "Acme"
  }'
# Response: { "id": "clxxx...", "status": "pending", "code_length": 6, ... }

# Check the code submitted by your user
curl -X POST https://api.honkio.ca/v1/verify/clxxx.../check   -H "Authorization: Bearer mk_live_YOUR_KEY"   -H "Content-Type: application/json"   -d '{ "code": "483721" }'
# Response 200: { "status": "verified", ... }
# Response 422: { "code": "VERIFICATION_INVALID_CODE", "attempts_remaining": 4 }

# Fetch status at any time
curl https://api.honkio.ca/v1/verify/clxxx...   -H "Authorization: Bearer mk_live_YOUR_KEY"

In test mode the code is always all zeros for the chosen length (e.g. 000000 for 6-digit). No SMS is sent.

Webhooks

Register a webhook endpoint to receive delivery receipts and inbound messages. Every payload is signed with HMAC-SHA256 — verify the X-HonkIO-Signature header.

json
{
  "id": "evt_01HXYZ...",
  "type": "message.delivered",
  "created": "2024-01-15T12:00:00Z",
  "account_id": "acc_01HXYZ...",
  "data": {
    "message_id": "msg_01HXYZ...",
    "to": "+16135550199",
    "status": "delivered"
  }
}
// Headers: X-HonkIO-Signature, X-HonkIO-Timestamp, X-HonkIO-Event

Error codes

HTTPCodeMeaning
401UNAUTHORIZEDMissing or invalid API key
402INSUFFICIENT_BALANCEAccount balance too low
404VERIFICATION_NOT_FOUNDVerification ID not found or not owned by this account
409VERIFICATION_ALREADY_VERIFIEDThis number has already been verified
410VERIFICATION_EXPIREDThe verification code has expired
422NON_CANADIAN_NUMBERNot a valid Canadian E.164 number
422VERIFICATION_INVALID_CODEIncorrect code — attempts_remaining shows how many tries are left
422ALLOW_LIST_BLOCKEDRecipient is not on the API key's ALLOW list
422DENY_LIST_BLOCKEDRecipient is on the API key's DENY list
429RATE_LIMITEDToo many requests — slow down
429VERIFICATION_MAX_ATTEMPTSToo many wrong attempts — this verification is locked
451OPT_OUT_BLOCKEDRecipient has opted out — legally blocked
451NO_CONSENTNo valid CASL consent on file
451CONSENT_EXPIREDImplied consent expired (2-year CASL limit)
451DNCL_BLOCKEDNumber on CRTC DNCL — no exemption applies