How to detect disposable phone numbers in signups?

The quickest reliable approach is to call a real-time detection API before sending the OTP. Accurate detection needs continuous monitoring of public SMS gateways and rental inventories; format, HLR, or line-type checks alone miss most abuse. Use behavior and basic validation to catch obvious issues, but rely on an API to keep data fresh, reduce maintenance, and minimize false positives.

What is a disposable number?

A disposable number is a temporary or virtual phone number from public SMS gateways or rental providers. It’s used to receive OTPs without tying activity to a real, persistent SIM, enabling fake signups and abuse.

Check behavior and velocity signals (free)

These app‑side checks are free and help you triage risk. They don’t prove a number is disposable, but they can guide step‑up, throttling, or allow/deny decisions.

• IP vs phone country: Does the user’s IP country match the phone number’s country?
• OTP abuse patterns: Repeated OTP requests without completion.
• Time‑to‑verify: Bots often verify unnaturally fast—or never complete verification.
• Browser/device fingerprint reuse: The same fingerprint submitting many numbers.
• Disposable email correlation: If the email is disposable, the phone number often is as well.

Use a third‑party API (recommended)

Behavior and velocity checks catch obvious abuse, but reliable detection requires continuous monitoring of public SMS gateways and rental inventories. Specialized providers maintain this intelligence at scale—integrate their API instead of trying to rebuild it.

How a third‑party API like NumCheckr works

NumCheckr implementation guide

Call your phone intelligence endpoint before OTP. Example with a placeholder NumCheckr API:

curl -X POST https://numcheckr.com/api/check-number \
  -H "Authorization: Bearer <YOUR_API_TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{
    "phone": "+14155552671"
  }'

{
  "active_line": true,
  "is_disposable": true,
  "public_sms_gateways": ["sms24.me", "receive-sms.cc"],
  "type": "MOBILE",
  "country_code": "us",
  "carrier": "Verizon",
  "e164_format": "+14155552671"
}

Backend example (Laravel/PHP) to call the API server‑side:

use Illuminate\Support\Facades\Http;

$response = Http::withToken(config('services.numcheckr.api_key'))
    ->post(url('/api/check-number'), [
        'phone' => '+14155552671',
    ]);

if ($response->json('is_disposable')) {
    // Block or step-up verification
}

Evaluation checklist (accuracy, limits, cost)

• Accuracy: Test 200–500 known-good and known-bad numbers; measure precision/recall.
• Latency: Keep under 150 ms p95 pre‑OTP; cache stable results for 24 h.
• Rate limits: Ensure burst capacity during signup peaks.
• Coverage: US/EU plus long‑tail countries where abuse is common.
• Cost: Estimate cost/verification vs avoided SMS and fraud spend.
• Fail‑open policy: Define behavior on timeouts (e.g., step‑up).

When to choose API vs behavior signals

Try a quick pre‑OTP lookup

Create a free account, get an API key, and add a pre‑OTP check on your signup form. Start with allow + step‑up on uncertain results, then tighten as you measure impact.

Get your API key and run your first lookup →

FAQ