Alibaba Cloud SMS Verification Code API Access Super Detailed Tutorial: From Signature Template Review to Code Launch

As the "big brother" of cloud computing in China, Aliyun short message service (Dysmsapi) has always been the first choice of front-line research and development teams because of its high channel quality, second-class delivery and large concurrency. However, in the actual access process, many novice developers and even veterans will be greatly affected by a bunch of "signatures, templates and compliance reviews". Even after the code goes online, hackers will directly remove the account balance because they did not do a good job in anti-brushing.

In today's article, let's completely abandon the rigid official documents. I'm totally standing

Senior Back-end Architect

From the perspective of practical operation, it takes you all the way from "zero qualification reporting" to "production environment code online". All the dead holes that are easy to step on thunder in the middle will be identified for you, and you will run through completely in 5 minutes.

The first stage: the console's "non-technical compliance war" (signature and template review)

Don't rush to write code! Aliyun SMS service is strictly regulated by the state, the first step must be in the console.

Qualification, Signature, Template

These three things are done. This is the standard order with the highest pass rate and the most time-saving:

1. Qualification application: individual or enterprise?

Enter the Alibaba Cloud SMS console. The first step is to create a qualification ".

Personal qualification: only need to bind your personal real name authentication information (Alipay scan code can be). Personal qualifications are now more restricted, and only verification codes and some notification messages can be sent.

Enterprise qualification: you need to upload a copy of the enterprise's three-in-one business license. If you are doing a formal commercial project, you must use the enterprise qualification, because its SMS pass rate is higher and it is not easy to trigger wind control interception.

2. Signature application: avoid those sensitive words

The signature is the beginning of the text message.

The four words]

, representing your business or brand identity.

The name of the signature must be exactly the same as your company's short name, website filing name, App name, or registered trademark. If it is for the customer to develop, the customer must issue a "power of attorney" stamped with the official seal.

In the application reason, directly paste the screenshot of your website domain name or App in the application store, don't write empty words, review the evidence of the real hammer, usually within 30 minutes.

3. Template application: the more rigid, the easier it is to pass

The template is the specific content of the short message, in which the verification code uses a placeholder

{code}

Replace.

Error demonstration: [XXX Technology] Wow, here you are, Laotie! Your registration verification code is ${code}, come and start your mysterious journey! (Highly vulnerable to being dismissed as marketing or harassing text messages).

Standard demonstration: [XXX Technology] Your registration verification code is:${code}, please enter it within 5 minutes. Do not disclose your verification code to others.

Select "verification code" for the template type, do not select "SMS notification" or "promotion SMS", the weight and arrival rate of the verification code channel is the highest.

The second stage: 5 minutes speed code docking (take Python as an example)

When you got the console

AccessKey ID

,

AccessKey Secret

,

Signature Name

and

Template Code (if SMS_20261234)

After that, you can officially enter the technical start-up phase.

The latest V2.0 SDK recommended by Aliyun in 2026 is used here (more stable, native support for long connection maintenance). We take the most elegant

Python 3 asynchronous concurrent calls

Example:

1. Install core dependencies

Run directly in your virtual environment:

Bash

pip install alibabacloud_dysmsapi20170525==3.0.0

2. Core backend send service implementation (out of the box)

Python

import os

import random

from alibabacloud_dysmsapi20170525.client import Client as Dysmsapi20170525Client

from alibabacloud_tea_openapi import models as open_api_models

from alibabacloud_dysmsapi20170525 import models as dysmsapi_20170525_models

class AliSmsService:

def __init__(self):

#1. Read the key from an environment variable (never hardcode it in code!)

config = open_api_models. Config(

access_key_id=os.environ.get('ALIBABA_CLOUD_ACCESS_KEY_ID'),

access_key_secret=os.environ.get('ALIBABA_CLOUD_ACCESS_KEY_SECRET')

)

#2. Visit the domain name, domestic SMS fixed this

config.endpoint = 'dysmsapi.aliyuncs.com'

self.client = Dysmsapi20170525Client(config)

def send_verify_code(self, phone: str) -> tuple[bool, str]:

#3. Local generation of 6 digit verification code

verify_code = str(random.randint(100000, 999999))

#4. Construct the standard request parameters required by Alibaba Cloud

send_sms_request = + (

phone_numbers=phone

sign_name = 'Your regular signature',# Replace with the signature approved by the console

template_code = 'SMS_20261234',# Replace with the template ID approved by the console

template_param = f'{{"code":"{verify_code}"}}'# Strict JSON string

)

try:

#5. Initiate a network contract request

response = self.client.send_sms(send_sms_request)

#6. Determine the return status of the Alibaba Cloud gateway

if response.body.code == 'OK':

Print (f "[success] verification code {verify_code} has been delivered to mobile phone: {phone}")

# [Production Required] Write the verify_code to Redis here and set it to expire in 5 minutes

# redis_client.setex(f"sms_code:{phone}", 300, verify_code)

return True, verify_code

else:

print(f "[Failed] Alibaba Cloud Gateway rejected: {response.body.message}")

return False, response.body.message

e

xcept Exception as error:

print(f "[exception] interface call network jitter: {str(error)}")

return False, str(error)

# Call test

# sms = AliSmsService()

# sms.send_verify_code("13800138000")

The third stage: the "three explosion-proof lightning death lines" of the online production environment"

The code can run through, at best, only 30% of the work is completed. The SMS verification code interface is the favorite broiler resource of hackers and SMS bombers in the whole network. If you expose the above interface directly, the balance of tens of thousands of dollars a night will become free fuel for others.

Before the system goes online, you must build these three iron gates in your back-end code:

Gate 1: Pre-graphics/Behavior Verification Code (Interception of 99% Automated Scripts)

You must not allow users to directly call Alibaba Cloud APIs as soon as they click Get Verification Code.

Standard architecture: Before the user clicks Send, an intelligent slider or puzzle behavior verification (such as Alibaba Cloud verification code 2.0 or Cloudflare Turnstile) must be displayed.

After the front end completes the sliding, it will get a validate_token, and the back end will receive the Token to verify the legality before allowing the release to call the SMS interface. This step can directly block all hackers who write Python scripts and engage in automated bombing.

Gate 2: Redis distributed frequency current limiting lock (anti-high frequency blasting)

Before calling the Alibaba Cloud API, multi-dimensional throttling must be performed through Redis:

Single phone number limit: sms_lock:{phone} setting expires in 60 seconds. The same mobile phone number can only be ordered once in 60 seconds.

Single client IP limit: Limit the same external network IP to request verification codes up to 10 times a day. Prevent hackers from taking turns to brush your interface with tens of thousands of different mobile phone numbers.

Daily Total Limit: Set the system total sending threshold. For example, your company usually only uses 1000 short messages a day and sets the daily global ceiling to 5000. Once it is brushed, the system will no longer contract out when it reaches the 5000 automatic fuse, locking up the maximum financial loss.

Gate three: verification code verification of the "one-time principle"

When a user enters a verification code on the front end to submit registration, the verification logic on the back end must be:

Read the correct verification code from Redis for comparison.

Whether the comparison result is right or wrong, delete this verification code immediately in Redis (or allow it to be discarded after up to 3 errors).

Reason: If the verification code is not deleted once, the hacker can use concurrent blasting scripts to request from 0 with high frequency within the validity period of 5 minutes.

00000 hit the 999999. The verification code must be a "disposable creature" and die when used.

Summary

To access Aliyun SMS verification code, the writing of technical code is actually very simple (SDK package is very perfect), the real effort is outside the code:

Console audit focuses on data compliance and consistency, and code deployment focuses on the strictness of Redis flow limiting and human-machine verification.

If you take these steps solidly, your registration verification system will have both the speed of distribution at the factory level and the defense capability of an iron wall.