A production-grade SMS verification platform that aggregates multiple SMS provider APIs, providing virtual phone numbers for receiving SMS verification codes β with a full-featured admin dashboard and a polished user mobile application.
StroApp SMS is a SMS-PaaS (SMS Platform as a Service) that solves the problem of needing a real phone number to receive SMS verification codes. Users purchase virtual numbers to receive OTP/activation codes for services like WhatsApp, Telegram, Google, Facebook, TikTok, and hundreds more β without exposing their personal phone number.
The platform aggregates supply from multiple SMS provider APIs, applies a configurable markup engine for profitability, and delivers a unified experience through:
- π± User Mobile App (Flutter) β Browse services, purchase numbers, receive SMS, manage account
- π οΈ Admin Dashboard (Flutter) β Manage users, orders, finances, security, and platform configuration
- βοΈ Backend API (Python/FastAPI) β RESTful API powering both frontends with enterprise-grade security
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β User App β β Admin App β β 3rd-Party β
β (Flutter) β β (Flutter) β β Integrations β
β port 3000 β β port 3001 β β (OAuth, IAP, β
ββββββββββ¬βββββββββ ββββββββββ¬βββββββββ β Payments...) β
β β ββββββββββ¬βββββββββ
βββββββββββββ¬ββββββββββββ β
β HTTP/JSON β
βΌ β
ββββββββββββββββββ β
β FastAPI App ββββββββββββββββββββββββββββββ
β Port 9527 β
β + Gunicorn β
βββββββββ¬βββββββββ
β
ββββββββββββΌβββββββββββ
βΌ βΌ βΌ
βββββββββββ βββββββββββ βββββββββββ
βPostgreSQLβ β Redis β β SMS β
β Database β β Cache β βProvidersβ
β :5433 β β :6379 β β(4 APIs) β
βββββββββββ βββββββββββ βββββββββββ
- User opens the mobile app, browses available services and countries
- Backend queries provider APIs for real-time pricing and stock
- Price Engine applies markup rules, user-specific pricing, and coins conversion
- User purchases a number β coins deducted β provider API called β number allocated
- Polling Service monitors the number for incoming SMS messages
- Delivery β SMS code is delivered to the user via app UI, webhook, email forwarding, or Telegram bot
- Optional β Order auto-cancels after timeout with refund
User Features
- Email/password authentication with JWT (access + refresh tokens)
- Google Sign-In and Apple Sign-In OAuth integration
- Multi-factor authentication (TOTP)
- Virtual number purchase for SMS verification (temporary & rental)
- Real-time SMS message polling with auto-refresh
- Number cancellation with partial refund
- Wallet system with coin-based transactions
- In-app purchase payments (Google Play, Apple App Store, Stripe)
- Webhook management for SMS delivery callbacks
- Email forwarding and Telegram bot integration
- Multi-tier subscription plans (Freemium, PAYG, Pro, Custom)
- Temporary email inbox service
- Voice call verification (call & speak code)
- Referral and affiliate programs
- Reseller and white-label support
- KYC verification and compliance
- GDPR data export and account deletion
Admin Features
- Admin authentication and session management
- User management (CRUD, ban, coin adjustment, tier change)
- Order and transaction monitoring
- Provider management (enable/disable, balance check)
- Service management (activate/deactivate)
- Dynamic pricing engine with markup rules
- Pricing templates and user-specific pricing
- Support ticket system
- Dispute resolution
- KYC document verification
- Revenue and P&L reporting
- Financial reconciliation
- Provider settlement tracking
- Affiliate commission management
- Reseller account management
- Broadcast push notifications
- Security scanning and compliance reporting
- Automated database backup and disaster recovery
- Audit logging (enterprise-grade)
- Feature flag management
- Email template customization
- Data export (users, transactions, payments, audit logs)
- Security scans, secrets check, compliance reports
- Multi-language support (7 languages)
Security & Compliance
- Rate limiting (Redis token bucket)
- CSRF protection
- XSS prevention
- SQL injection prevention (ORM-based)
- Proxy/VPN detection middleware
- Device fingerprinting
- IP blacklisting
- PII masking in logs
- Structured JSON logging
- Sentry error tracking
- Prometheus metrics
- Security headers (HSTS, CSP, X-Frame-Options, etc.)
- Browse 100+ services organized by category
- View prices across 200+ countries
- Purchase numbers with one tap (from presets)
- Real-time SMS waiting screen with countdown timer
- Order history with full details
- Wallet with top-up via Google Pay / Apple Pay
- Number rental with duration and auto-extend
- Temporary email inbox
- Voice verification purchase
- Saved presets for quick re-purchase
- Webhook and forwarding configuration
- MFA setup and management
- API key management
- Active sessions management
- Affiliate dashboard with commissions and payouts
- KYC document submission and status tracking
- Support ticket system
- Multi-language (Arabic/English) with RTL support
- Dark/Light theme
- Biometric authentication (fingerprint, face ID)
- Deep linking (referral codes)
- Push notifications via Firebase Cloud Messaging
- Onboarding wizard for new users
- Dashboard with KPI cards and charts (new users, orders, revenue)
- User management with search, filters, and bulk actions
- Order and transaction browsing with detail views
- Support ticket management with reply thread
- System settings (coins per USD, markup, email limits)
- Provider and service management
- Pricing engine with templates, promotions, and markup rules
- Affiliate applications, commissions, and payouts
- Reseller accounts and credit allocation
- Financial reports (revenue, costs, settlements, tax)
- P&L reports
- Analytics dashboard with verification stats and carrier analytics
- Ledger and reconciliation tools
- Security screen: vulnerability scans, secrets check, compliance
- Backup management: create, list, restore
- Disaster recovery: run tests, monitor status
- Webhook queue and retry monitoring
- Broadcast push notifications
- Blacklist management (IP, tokens)
- Whitelabel domain management
- Data sync orchestrator with markup rules
- Data export (CSV) for users, transactions, payments, audit logs
- Telegram bot connection management
- Feature flag toggling
- Session management with force logout
- Email template editing
- Waitlist management
- Multi-language support (7 languages)
| Technology | Purpose |
|---|---|
| Python 3.12+ | Runtime |
| FastAPI | Web framework (async) |
| Uvicorn + Gunicorn | ASGI server (dev + prod) |
| SQLAlchemy 2.0 | ORM with async support |
| PostgreSQL 16 | Primary database |
| Redis 7 | Caching, rate limiting, queues |
| Alembic | Database migrations |
| Pydantic v2 | Data validation & settings |
| PyJWT | JWT authentication |
| Passlib (bcrypt) | Password hashing |
| Sentry | Error monitoring |
| Prometheus | Metrics & observability |
| Docker | Containerization |
| NGINX | Reverse proxy + WAF |
| Provider | Region | Specialty |
|---|---|---|
| SMS-Man (smsman) | Russia/CIS | Wide country coverage |
| 5sim (fivesim) | International | Large inventory |
| SMS-Activate (smsactivate) | Russia/CIS | Competitive pricing |
| SMSPool (smspool) | USA/Global | US numbers focus |
| Technology | Purpose |
|---|---|
| Flutter | Cross-platform UI framework |
| Riverpod | State management |
| GoRouter | Declarative routing |
| Dio | HTTP client with interceptors |
| Freezed | Immutable data models |
| Google Sign-In | OAuth authentication |
| Apple Sign-In | OAuth authentication |
| Firebase Messaging | Push notifications |
| fl_chart | Charts (admin app) |
stroapp-sms/ # Monorepo root
βββ app/ # Python backend package
β βββ api/
β β βββ v1/ # Version 1 API (60+ route files)
β β β βββ auth.py # Authentication endpoints
β β β βββ purchase.py # SMS purchase & orders
β β β βββ services.py # Service listing
β β β βββ user.py # User profile & balance
β β β βββ payments.py # Payment processing
β β β βββ webhooks.py # Webhook management
β β β βββ admin_*.py # 14 admin sub-modules
β β β βββ ... # 40+ more endpoint files
β β βββ v4/ # Version 4 API (clean admin)
β β βββ admin.py # Unified admin API
β βββ core/ # Framework & shared utilities
β β βββ config.py # Pydantic Settings
β β βββ database.py # SQLAlchemy setup
β β βββ security.py # JWT, hashing
β β βββ dependencies.py # FastAPI dependencies
β β βββ middleware.py # Custom ASGI middleware
β βββ domain/
β β βββ models.py # 60+ SQLAlchemy models
β β βββ coins.py # Coin conversion logic
β βββ infrastructure/
β β βββ providers/ # SMS provider adapters
β β β βββ base.py # Abstract provider
β β β βββ router.py # Provider router (fallback)
β β β βββ smsman.py # SMS-Man integration
β β β βββ fivesim.py # 5sim integration
β β β βββ smsactivate.py # SMS-Activate integration
β β β βββ smspool.py # SMSPool integration
β β β βββ circuit_breaker.py # Fault tolerance
β β βββ payments/ # Payment integrations
β β βββ cache/ # Redis caching
β β βββ queue/ # Webhook queue (Redis streams)
β β βββ push/ # OneSignal push
β β βββ bot/ # Telegram bot
β β βββ security/ # Secrets & compliance
β βββ middleware/ # HTTP middleware
β βββ schemas/ # Pydantic schemas
β βββ services/ # Business logic (40+ files)
β β βββ purchase_service.py # SMS purchase flow
β β βββ price_calculator.py # Pricing engine
β β βββ pricing_engine_service.py # User-specific pricing
β β βββ payment_service.py # Payment processing
β β βββ audit_service.py # Enterprise audit
β β βββ backup_service.py # DB backup/restore
β β βββ security_scanner.py # Security scanning
β β βββ background.py # Background workers
β β βββ ... # 30+ more services
β βββ websocket/ # WebSocket manager
βββ infrastructure/
β βββ db/
β βββ migrations/ # Alembic migrations
βββ scripts/ # Utility scripts
β βββ seed_admin.py # Create admin user
β βββ backup.sh # Database backup
β βββ run_security_audit.sh # Security audit
βββ main.py # Application entry point
βββ Dockerfile # Docker build
βββ docker-compose.yml # Full stack setup
βββ nginx.conf # Production proxy config
βββ requirements.txt # Python dependencies
βββ .env.example # Example environment
β
βββ stroapp-sms-user/ # User Flutter app
β βββ lib/
β βββ main.dart # App entry point
β βββ core/ # API, models, router, theme
β βββ features/ # Feature modules
β βββ sms_purchase/ # SMS buying flow
β βββ auth/ # Authentication
β βββ home/ # Dashboard
β βββ wallet/ # Wallet & payments
β βββ settings/ # Settings hub
β βββ presets/ # Saved presets
β βββ temp_email/ # Temp email inbox
β βββ voice/ # Voice verification
β βββ rentals/ # Number rental
β βββ ... # 10+ more features
β
βββ stroapp-sms-admin/ # Admin Flutter app
βββ lib/
βββ main.dart # App entry point
βββ app/ # Screens & tabs
β βββ screens/ # 21 screen files
β βββ tabs/ # 5 bottom nav tabs
βββ core/ # API, models, services, theme
βββ api_constants.dart # 184 API endpoint definitions
βββ services/ # 5 service classes
βββ models/ # Data models
βββ widgets/ # 12 reusable widgets
- Python 3.12+
- PostgreSQL 16
- Redis 7
- Flutter 3.x (for mobile apps)
- Docker (optional, for containerized deployment)
git clone <repo-url> stroapp-sms
cd stroapp-sms
# Create virtual environment
python -m venv .venv
source .venv/bin/activate # Linux/Mac
# or .venv\Scripts\activate # Windows
# Install dependencies
pip install -r requirements.txt
# Configure environment
cp .env.example .env
# Edit .env with your settings (database URL, API keys, secrets)# Using Docker (recommended for development)
docker run -d \
--name stroapp-db \
-e POSTGRES_USER=stroapp \
-e POSTGRES_PASSWORD=stroapp_pass \
-e POSTGRES_DB=stroapp \
-p 5433:5432 \
postgres:16
# Run migrations
alembic upgrade head
# Seed admin user
python scripts/seed_admin.py admin@example.com your-password# Development
python main.py
# Production (with Gunicorn)
gunicorn main:app -c gunicorn.conf.pyThe API will be available at http://localhost:9527/stroapp/docs (Swagger UI).
cd stroapp-sms-user
cp .env.example .env # edit API_BASE_URL
flutter pub get
flutter run -d chrome # or -d android, -d ioscd stroapp-sms-admin
flutter pub get
flutter run -d chrome # or -d android, -d iosdocker compose up -dThis starts PostgreSQL, Redis, and the FastAPI application together.
| Variable | Description | Default |
|---|---|---|
DATABASE_URL |
PostgreSQL connection string | postgresql://stroapp:stroapp_pass@localhost:5433/stroapp |
REDIS_URL |
Redis connection string | redis://localhost:6379/0 |
SECRET_KEY |
App encryption key (min 32 chars) | β |
JWT_SECRET_KEY |
JWT signing key (min 32 chars) | β |
COINS_PER_USD |
Coin-to-USD conversion rate | 100 |
DEFAULT_MARKUP |
Default price markup multiplier | 1.15 |
SMSMAN_API_KEY |
SMS-Man provider API key | β |
FIVESIM_API_KEY |
5sim provider API key | β |
SMSACTIVATE_API_KEY |
SMS-Activate provider API key | β |
SMSPOOL_API_KEY |
SMSPool provider API key | β |
SENTRY_DSN |
Sentry error tracking DSN | β |
TURNSTILE_SECRET_KEY |
Cloudflare Turnstile secret | β |
TELEGRAM_BOT_TOKEN |
Telegram bot token | β |
Full list available in .env.example.
Each Flutter app uses a .env file for configuration:
User App (.env):
API_BASE_URL=http://localhost:9527/stroapp/v1
CONNECT_TIMEOUT=10000
RECEIVE_TIMEOUT=15000
Admin App: Base URL is configured in lib/core/constants/api_constants.dart and can be changed at runtime via the login screen UI.
- User API:
/stroapp/v1/... - Admin API:
/stroapp/v4/admin/api/... - Swagger UI:
/stroapp/docs - ReDoc:
/stroapp/redoc - Health:
/health - Metrics:
/stroapp/metrics
- User: JWT Bearer tokens (access + refresh tokens)
- Admin: JWT Bearer tokens (separate admin login endpoint)
- MFA: Optional TOTP with
x-mfa-tokenheader - API Keys:
nsk_prefixed keys for programmatic access
All API responses follow a consistent structure:
{
"success": true,
"data": { ... },
"error": null,
"request_id": "uuid"
}Paginated responses:
{
"success": true,
"data": { "items": [...], "total": 100, "page": 1, "per_page": 20 },
"error": null
}The platform implements multiple layers of security:
- Rate Limiting: Redis token bucket algorithm (configurable limits)
- CSRF Protection: Token-based per-session
- XSS Prevention: Input sanitization and output encoding
- SQL Injection: ORM-based queries + statement-level protection
- Proxy/VPN Detection: Middleware to flag anonymous traffic
- Device Fingerprinting: Risk scoring per device
- IP Blacklisting: Manual and automated blacklist management
- Session Management: Active session tracking with revocation
- MFA: Optional TOTP two-factor authentication
- Audit Logging: Every admin action is logged with user, IP, timestamp
- Security Scanning: Automated vulnerability scanning
- Secrets Management: Encrypted storage of sensitive configuration
- GDPR Compliance: Data export, deletion, and consent management
- KYC/AML: Identity verification for high-value accounts
- WAF: NGINX-based web application firewall in production
- HTTPS: SSL/TLS enforcement via NGINX
# Backend tests
pytest tests/ -v
# Run specific test
pytest tests/test_comprehensive.py -v
# Flutter tests (user app)
cd stroapp-sms-user
flutter test
# Flutter tests (admin app)
cd stroapp-sms-admin
flutter testInternet β NGINX (Reverse Proxy + WAF) β Gunicorn (4 workers) β FastAPI
β
PostgreSQL ββββββββββββββββββββββ€
Redis ββββββββββββββββββββββββββ€
SMS Providers ββββββββββββββββββ
# Build and run
docker compose up -d --build
# Check logs
docker compose logs -f api
# Run migrations
docker compose exec api alembic upgrade head
# Create admin user
docker compose exec api python scripts/seed_admin.py admin@example.com password- Set up PostgreSQL and Redis
- Configure
.envwith production values - Run with Gunicorn:
gunicorn main:app -c gunicorn.conf.py
- Set up NGINX reverse proxy using
nginx.conf - Configure SSL certificates (Let's Encrypt)
- Set up monitoring (Sentry, Prometheus)
- Configure automated backups via the admin panel
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
- Follow existing code style and conventions
- Write tests for new features
- Update API documentation for endpoint changes
- Run
pytestbefore submitting PRs - Use conventional commit messages
All rights reserved. This project is proprietary software.
- Author: Omer Jasim β oj33593@gmail.com
- API Docs:
/stroapp/docs(Swagger),/stroapp/redoc(ReDoc) - Admin Panel: Accessible via the admin Flutter app
- Issues: Report via GitHub Issues
- Security: Report via Security Advisories