Security: Mobile signups and sms verification code

Question

I have a REST API, which a user can sign up using their mobile client and request for a verification sms using twilio. The REST API is set up on heroku.

My main concern is that a user can sign up however many times as they want, but that can cost me unnecessary amount of money for each sms. How do you go about preventing this? I'm fairly new to web services in general. Does heroku protect against this? Do I have to do something to the server?

Thanks

Answer 1

yes server needs to maintain the record of verified and unverified numbers. Once the user signup or register again, server will check if the number is already verified or not, if it is not verified then make a verification sms send api call to twilio. Twilio REST API call should be initiated from the server and not from the mobile app. In case you want the twilio rest api call to be initiated from the mobile client then on signup of the app the REST API from the server should return the mobile app if number is verified or not and according show the verify option on the mobile client.