Build a Node.js Express App for Bulk SMS Broadcasts with Sinch - code-examples -

Build a Node.js Express App for Bulk SMS Broadcasts with Sinch

> ⚠️ IMPORTANT NOTICE: Title-Content Mismatch >

The filename of this article references "Next.js NextAuth" but the content demonstrates an Express.js implementation. This guide provides a complete Express.js application for bulk SMS broadcasting with Sinch. If you're looking for a Next.js + NextAuth implementation, note that: >

  • Next.js uses serverless API routes (in pages/api/ or app/api/) instead of Express > - NextAuth.js integration requires different session management patterns > - Middleware and authentication flow differ significantly from Express > This implementation focuses on Express.js and can be adapted for Next.js API routes with modifications.

This guide walks you through building a robust Node.js Express application for bulk SMS broadcasting using the Sinch REST API. You'll learn how to implement the Sinch batches endpoint, handle authentication across regional endpoints (US, EU, AU, BR, CA), manage SMS encoding (GSM-7 and UCS-2), implement rate limiting, and deploy a production-ready SMS broadcasting service. Whether you're building notification systems, marketing campaigns, or alert systems, this tutorial covers everything from project setup and core logic to error handling, security best practices, and deployment considerations.

By the end of this tutorial, you'll have a functional backend service capable of accepting a list of phone numbers and a message, then broadcasting that message efficiently using Sinch's batch sending capabilities. This solves the common need for applications to send notifications, alerts, or marketing messages to multiple users simultaneously.

Project Overview and Goals

What You'll Build:

A Node.js Express API endpoint that:

  1. Accepts a POST request containing a list of recipient phone numbers and a message body.
  2. Validates the input using E.164 phone number format.
  3. Uses the Sinch SMS REST API (/batches endpoint) to send the message to all recipients in a single API call (a bulk broadcast).
  4. Handles potential errors gracefully with proper HTTP status codes.
  5. Provides comprehensive logging for monitoring and debugging.

Problem You'll Solve:

Manually sending SMS messages one by one is inefficient and doesn't scale. This application provides a programmatic way to broadcast messages to large groups, leveraging Sinch's infrastructure for reliable delivery.

Technologies You'll Use:

  • Node.js: A JavaScript runtime environment ideal for building scalable network applications. (Requires Node.js v18 or higher for optimal compatibility as of 2025)
  • Express.js: A minimal and flexible Node.js web application framework providing robust features for web and mobile applications.
  • Sinch SMS REST API: The interface you'll use to programmatically send SMS messages via Sinch. You'll use the /batches endpoint for efficient bulk sending. (API Reference: https://developers.sinch.com/docs/sms/api-reference/sms/tag/Batches/)
  • Axios: A promise-based HTTP client for making requests to the Sinch API.
  • dotenv: A module to load environment variables from a .env file, keeping sensitive credentials out of your codebase.

System Architecture:

The basic flow works as follows:

  1. A Client Application sends a POST request to /api/broadcast on your Node.js Express App.
  2. Your Express App validates the incoming request data.
  3. Your App prepares the batch payload for the Sinch API.
  4. Your App sends a POST request to the Sinch SMS API's /xms/v1/{service_plan_id}/batches endpoint.
  5. Sinch processes the batch and sends SMS messages to the Recipients' Phones.
  6. Sinch returns a Batch ID and status information to your Express App.
  7. Your Express App sends an API response (indicating success or error) back to the Client Application.

Prerequisites:

  • Node.js and npm (or yarn): Install these on your development machine. Use Node.js v18 or higher. (Download Node.js)
  • Sinch Account: Register an account with Sinch. (Sign up for Sinch)
  • Sinch API Credentials:
    • SERVICE_PLAN_ID: Find this on your Sinch Customer Dashboard under SMS > APIs.
    • API_TOKEN: Also found on the same page (click "Show" to reveal it).
    • SINCH_NUMBER: A virtual number associated with your Service Plan ID, capable of sending SMS. Find this by clicking your Service Plan ID link on the dashboard.
  • Basic understanding of: JavaScript, Node.js, Express, REST APIs, and terminal commands.
  • Code Editor: Like VS Code, Sublime Text, etc.
  • Testing Tool (Optional but Recommended): Postman or curl for testing the API endpoint.

Expected Outcome:

A running Node.js service with an API endpoint (/api/broadcast) that accepts recipient lists and messages, sending them out via Sinch.

1. Setting up the Node.js Express Project

Initialize your Node.js project, install dependencies, and set up the basic structure and environment configuration.

  1. Create Project Directory: Open your terminal or command prompt and create a new directory for the project.

    bash
    mkdir sinch-bulk-sms-app
cd sinch-bulk-sms-app

  2. Initialize Node.js Project: Create a package.json file to manage project details and dependencies.

    bash
    npm init -y

    (The -y flag accepts default settings)

  3. Install Dependencies: Install Express for the web server, Axios for API calls, and dotenv for environment variables.

    bash
    npm install express axios dotenv

  4. Create Project Structure: A good structure helps maintainability. Create the following directories and files:

    sinch-bulk-sms-app/
├── src/
│   ├── controllers/
│   │   └── broadcastController.js
│   ├── routes/
│   │   └── broadcastRoutes.js
│   ├── services/
│   │   └── sinchService.js
│   └── app.js
├── .env             # For environment variables (create soon)
├── .gitignore       # To exclude files from Git (create soon)
└── package.json

  5. Create .gitignore: Prevent sensitive files and unnecessary directories from being committed to version control. Create a file named .gitignore in the root directory:

    plaintext
    # .gitignore

# Dependencies
node_modules/

# Environment Variables
.env

# Logs
*.log

# Build output
dist/

  6. Configure Environment Variables: Create a file named .env in the root directory. This file holds your sensitive Sinch credentials and configuration. Never commit this file to Git.

    • Find Your Credentials: Log in to your Sinch Customer Dashboard. Navigate to SMS > APIs. Note your Service plan ID and API token. Also, find a virtual Sinch Number associated with this plan.
    • Determine Region: Sinch SMS API supports 5 regional endpoints: US (United States), EU (Europe), AU (Australia), BR (Brazil), and CA (Canada). The base URL format is https://{region}.sms.api.sinch.com where region can be: us, eu, au, br, or ca. Check your Sinch dashboard to identify your account's region.
    • Authentication by Region: The SMS API uses Sinch unified authentication with OAuth2 for US and EU regions only. For BR, AU, or CA regions (or if you prefer for US/EU), use API Token authentication.

    Populate the .env file:

    plaintext
    # .env

# Sinch API Credentials
SINCH_SERVICE_PLAN_ID=YOUR_SERVICE_PLAN_ID_HERE
SINCH_API_TOKEN=YOUR_API_TOKEN_HERE
SINCH_NUMBER=YOUR_SINCH_VIRTUAL_NUMBER_HERE # e.g., +12025550147

# Sinch API Base URL (Select your region: us, eu, au, ca, or br)
# US (default): https://us.sms.api.sinch.com
# EU: https://eu.sms.api.sinch.com
# AU: https://au.sms.api.sinch.com
# CA: https://ca.sms.api.sinch.com
# BR: https://br.sms.api.sinch.com
SINCH_BASE_URL=https://us.sms.api.sinch.com

# Application Port
PORT=3000
    • SINCH_SERVICE_PLAN_ID: Your unique service plan identifier from the Sinch dashboard.
    • SINCH_API_TOKEN: The secret token you'll use to authenticate API requests. Treat this like a password.
    • SINCH_NUMBER: The Sinch virtual phone number that messages will be sent from. Must be in E.164 format (e.g., +1xxxxxxxxxx).
    • SINCH_BASE_URL: The base URL for the Sinch REST API corresponding to your account's region. Ensure this matches your dashboard region.
    • PORT: The port your Express application will listen on.

  7. Set up Basic Express Server (src/app.js): This file initializes Express, loads environment variables, sets up middleware, and defines the entry point for your routes.

    javascript
    // src/app.js
import express from 'express';
import dotenv from 'dotenv';
import broadcastRoutes from './routes/broadcastRoutes.js';

// Load environment variables from .env file
dotenv.config();

// Initialize Express app
const app = express();
const port = process.env.PORT || 3000; // Use PORT from .env or default to 3000

// Middleware
app.use(express.json()); // Enable parsing JSON request bodies

// Basic logging middleware (optional but helpful)
app.use((req, res, next) => {
    console.log(`[${new Date().toISOString()}] ${req.method} ${req.url}`);
    next();
});

// Mount Routes
app.use('/api', broadcastRoutes); // Mount broadcast routes under /api prefix

// Basic Error Handler Middleware (simple example)
app.use((err, req, res, next) => {
    console.error('Global Error Handler:', err.stack);
    res.status(err.status || 500).json({
        error: {
            message: err.message || 'Something went wrong!',
            // Optionally include stack trace in development
            stack: process.env.NODE_ENV === 'development' ? err.stack : undefined,
        }
    });
});

// Start the server
app.listen(port, () => {
    console.log(`Server running on http://localhost:${port}`);
    // Verify essential env vars are loaded (optional startup check)
    if (!process.env.SINCH_SERVICE_PLAN_ID || !process.env.SINCH_API_TOKEN || !process.env.SINCH_NUMBER) {
         console.warn('WARN: Missing one or more required Sinch environment variables (ID, TOKEN, NUMBER). API calls may fail.');
    }
});

// Add this line to handle ES module syntax for top-level await or other features if needed later
export default app;
    • Module Type: Add "type": "module" to your package.json file to enable ES module syntax (import/export).
      json
      // package.json snippet
{
  "name": "sinch-bulk-sms-app",
  "version": "1.0.0",
  "description": "",
  "main": "src/app.js",
  "type": "module",
  "scripts": {
    "start": "node src/app.js",
    "dev": "nodemon src/app.js"
  }
}

2. Implementing Core Functionality with Sinch Service

Create the service responsible for interacting with the Sinch API.

  1. Create Sinch Service (src/services/sinchService.js): This module encapsulates the logic for sending the bulk SMS batch request.

    javascript
    // src/services/sinchService.js
import axios from 'axios';
import dotenv from 'dotenv';

dotenv.config(); // Ensure environment variables are loaded

const SERVICE_PLAN_ID = process.env.SINCH_SERVICE_PLAN_ID;
const API_TOKEN = process.env.SINCH_API_TOKEN;
const SINCH_NUMBER = process.env.SINCH_NUMBER;
const BASE_URL = process.env.SINCH_BASE_URL;

/**
 * Sends a bulk SMS message using the Sinch REST API /batches endpoint.
 * @param {string[]} recipients - An array of recipient phone numbers in E.164 format.
 * @param {string} messageBody - The text message content.
 * @returns {Promise<object&gt;} - The response data from the Sinch API.
 * @throws {Error} - Throws an error if the API call fails or prerequisites are missing.
 */
const sendBulkSms = async (recipients, messageBody) =&gt; {
    if (!SERVICE_PLAN_ID || !API_TOKEN || !SINCH_NUMBER || !BASE_URL) {
        throw new Error('Missing Sinch configuration. Check .env file.');
    }

    if (!recipients || !Array.isArray(recipients) || recipients.length === 0) {
        throw new Error('Recipients array cannot be empty.');
    }
     if (!messageBody || typeof messageBody !== 'string' || messageBody.trim() === '') {
        throw new Error('Message body cannot be empty.');
    }

    const endpoint = `${BASE_URL}/xms/v1/${SERVICE_PLAN_ID}/batches`;

    const payload = {
        from: SINCH_NUMBER,
        to: recipients, // Array of phone numbers
        body: messageBody,
        // Optional parameters:
        // delivery_report: 'full', // Request detailed delivery reports ('none', 'summary', 'full')
        // client_reference: 'your_internal_ref_123', // Custom reference string
        // feedback_enabled: true // Enable feedback (use batch_id to provide delivery feedback)
        // Note: feedback_enabled and delivery_report serve different purposes
        // - feedback_enabled: Allows providing feedback on message delivery success
        // - delivery_report: Requests DLRs via webhooks for delivery status tracking
    };

    const config = {
        headers: {
            'Authorization': `Bearer ${API_TOKEN}`,
            'Content-Type': 'application/json',
        },
    };

    console.log(`Sending bulk SMS via Sinch to ${recipients.length} recipients...`);
    // console.log('Payload:', JSON.stringify(payload, null, 2)); // Uncomment for debugging

    try {
        const response = await axios.post(endpoint, payload, config);
        console.log('Sinch API Success:', response.data);
        // The response contains the batch_id you can use to track status
        return response.data;
    } catch (error) {
        console.error('Sinch API Error:', error.response ? JSON.stringify(error.response.data, null, 2) : error.message);
        // Re-throw a more specific error or handle it
        const errorMessage = error.response?.data?.requestError?.serviceException?.text ||
                           error.response?.data?.text ||
                           error.message ||
                           'Failed to send bulk SMS via Sinch.';
         const statusCode = error.response?.status || 500;
        const serviceError = new Error(errorMessage);
        serviceError.status = statusCode; // Attach status code if available
        serviceError.details = error.response?.data; // Attach full details
        throw serviceError;
    }
};

export { sendBulkSms };
    • Why Axios? It simplifies making HTTP requests and handling promises.
    • Why a Service? Encapsulates external API interaction, making your controller cleaner and the service reusable and easier to test.
    • /batches Endpoint: This specific Sinch API endpoint is designed for sending the same message to multiple recipients efficiently. It supports batch operations including send, dry run (calculates bodies and message parts without sending), delivery feedback, and batch cancellation.
    • Payload Structure: Note the from, to (an array), and body fields. Refer to the Sinch API Documentation for more optional parameters.
    • Authentication: Uses the Bearer token scheme in the Authorization header.
    • Error Handling: Catches errors from Axios, logs details (especially the response data from Sinch if available), and throws a new error with potentially more context.

3. Building the Express API Layer (Routes & Controller)

Define the API endpoint that clients will call to trigger the broadcast.

  1. Create Broadcast Controller (src/controllers/broadcastController.js): This handles incoming requests for the broadcast endpoint, validates input, calls the sinchService, and sends the response.

    javascript
    // src/controllers/broadcastController.js
import { sendBulkSms } from '../services/sinchService.js';

/**
 * Handles the POST request to /api/broadcast
 * Expects JSON body: { recipients: ["+1...", "+1..."], message: "Hello" }
 */
const handleBroadcastRequest = async (req, res, next) =&gt; {
    const { recipients, message } = req.body;

    // Basic Input Validation
    if (!recipients || !Array.isArray(recipients) || recipients.length === 0) {
        return res.status(400).json({ error: 'Missing or invalid "recipients" array in request body.' });
    }
    if (!message || typeof message !== 'string' || message.trim() === '') {
         return res.status(400).json({ error: 'Missing or invalid "message" string in request body.' });
    }

    // More robust validation (example – check E.164 format)
    const e164Pattern = /^\+[1-9]\d{1,14}$/;
    const invalidNumbers = recipients.filter(num =&gt; !e164Pattern.test(num));
    if (invalidNumbers.length &gt; 0) {
         return res.status(400).json({
            error: 'One or more recipient phone numbers are not in valid E.164 format (e.g., +12223334444).',
            invalid_numbers: invalidNumbers
        });
    }

    try {
        console.log(`Received broadcast request for ${recipients.length} recipients.`);
        const sinchResponse = await sendBulkSms(recipients, message);

        // Successfully submitted batch to Sinch
        res.status(202).json({ // 202 Accepted is appropriate as processing is asynchronous
            message: 'Bulk SMS batch submitted successfully to Sinch.',
            batch_id: sinchResponse.id, // Include the batch ID from Sinch
            details: sinchResponse // Include full response for reference
        });

    } catch (error) {
         console.error('Error in handleBroadcastRequest:', error.message);
         // Pass the error to the global error handler middleware
         // Use the status code attached in the service layer, or default
         error.status = error.status || 500;
         next(error); // Forward error to Express error handler in app.js
    }
};

export { handleBroadcastRequest };
    • Input Validation: Performs essential checks on recipients and message. Includes a basic E.164 format check as an example of stricter validation. Consider using a dedicated validation library like express-validator or joi for production apps.
    • Service Call: Calls the sendBulkSms function from your service.
    • Response: Sends a 202 Accepted status on success, indicating the batch was submitted but processing (delivery) is asynchronous. Includes the batch_id from Sinch, which is crucial for tracking.
    • Error Forwarding: Uses next(error) to pass any caught errors to the centralized error handler defined in app.js.

  2. Create Broadcast Routes (src/routes/broadcastRoutes.js): This file defines the specific API endpoint and maps it to the controller function.

    javascript
    // src/routes/broadcastRoutes.js
import express from 'express';
import { handleBroadcastRequest } from '../controllers/broadcastController.js';

const router = express.Router();

// Define the broadcast endpoint
// POST /api/broadcast
router.post('/broadcast', handleBroadcastRequest);

// You could add other related routes here if needed

export default router;
    • Router: Uses express.Router() to create a modular set of routes.
    • Mapping: Maps the POST method on the /broadcast path (which becomes /api/broadcast due to the prefix in app.js) to the handleBroadcastRequest controller function.

4. Integrating with Sinch SMS API

Integration primarily happens within src/services/sinchService.js:

  • Configuration: Reads SINCH_SERVICE_PLAN_ID, SINCH_API_TOKEN, SINCH_NUMBER, and SINCH_BASE_URL from environment variables (.env) using dotenv.
  • API Call: Uses axios to make a POST request to the Sinch /batches endpoint ($&#123;BASE_URL&#125;/xms/v1/$&#123;SERVICE_PLAN_ID&#125;/batches).
  • Authentication: Sets the Authorization: Bearer $&#123;API_TOKEN&#125; header.
  • Payload: Constructs the JSON payload with from, to (array), and body.
  • Secure Handling: Keeping credentials in .env and using .gitignore prevents accidental exposure. Ensure your deployment environment securely manages these variables.

5. Implementing Error Handling and Logging Best Practices

  • Error Handling Strategy:

    • Validation Errors (4xx): Handle these directly in the controller (handleBroadcastRequest) with specific 400 Bad Request responses.
    • API/Server Errors (5xx or Network): Catch these in the sinchService, enrich them with details and status code if possible, then re-throw. Catch them again in the controller and pass via next(error) to the global error handler in app.js, which sends a generic 500 Internal Server Error (or the specific status from the service error).
    • Why Centralized Handling? The global handler in app.js provides a consistent response format for unexpected server errors.

  • Logging:

    • Basic: We've added console.log for request tracking (app.js), successful submissions, and errors (sinchService.js, broadcastController.js).
    • Production Logging: For production, replace console.log with a more robust logging library like Winston or Pino. These enable:
      • Different log levels (info, warn, error, debug).
      • Structured logging (JSON format for easier parsing).
      • Multiple transports (writing to files, external logging services like Datadog, Sentry).
    • Example Log Points:
      • Incoming request details.
      • Payload being sent to Sinch (potentially redacted/summarized).
      • Successful batch submission with batch_id.
      • Detailed error information (including Sinch API error responses).

  • Retry Mechanisms (Conceptual):

    • When to Retry: Retries are suitable for transient errors like network issues or temporary Sinch server problems (e.g., 502, 503, 504 errors). Do not retry client errors (4xx) like invalid numbers or authentication failures – they'll consistently fail.
    • Strategy: Implement exponential backoff. Wait a short period before the first retry, then double the wait time for subsequent retries, up to a maximum number of attempts. Add slight randomness (jitter) to wait times to avoid thundering herd issues.
    • Implementation: While manual implementation is possible, libraries like axios-retry can simplify adding retry logic to Axios requests.
    • Idempotency: Sinch API calls are generally not idempotent by default. Retrying a POST request might result in duplicate batches being sent if the initial request succeeded but the response was lost. Consider adding a unique client_reference in the payload if you implement retries, although Sinch doesn't explicitly guarantee idempotency based on it for the /batches endpoint. It's often safer to log the failure and investigate manually or use a more sophisticated queuing system for critical broadcasts requiring guaranteed exactly-once processing. For this guide, we'll rely on logging failures.

6. Database Schema and Data Layer (Optional Enhancement)

While this guide focuses on accepting recipients directly via the API, a common scenario involves fetching recipients from a database.

  • Schema Example (Conceptual): If you use a relational database (like PostgreSQL) with an ORM (like Prisma or Sequelize), you might have a Subscriber table:

    sql
    CREATE TABLE subscribers (
    id SERIAL PRIMARY KEY,
    phone_number VARCHAR(20) NOT NULL UNIQUE, -- E.164 format
    is_active BOOLEAN DEFAULT TRUE,
    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
    updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP
);

  • Entity Relationship Diagram Description (Simple): A more advanced implementation might track broadcasts and recipient status:

    • A SUBSCRIBER table (as above) stores user phone numbers.
    • A BROADCAST table stores information about each bulk message sent (e.g., message body, Sinch batch ID, timestamp).
    • A BROADCAST_RECIPIENT table links SUBSCRIBER and BROADCAST, potentially storing the delivery status for each recipient in a specific broadcast (updated via webhooks).

  • Data Access: You would modify the handleBroadcastRequest controller:

    1. Instead of req.body.recipients, accept a groupId or similar identifier.
    2. Implement a data access function (e.g., subscribersService.getActiveSubscribers(groupId)) to query the database for active phone numbers.
    3. Pass the fetched numbers to sinchService.sendBulkSms.

  • Implementation: Setting up a database, ORM, migrations, and data access functions is beyond the scope of this guide but is a common next step. Tools like Prisma or Sequelize are excellent choices in the Node.js ecosystem.

7. Adding Security Features to Your SMS API

Security is paramount, especially when handling user data and API keys.

  1. Input Validation & Sanitization:

    • We implemented basic validation in the controller. Enhance this:
      • Strict E.164: Ensure phone numbers strictly adhere to the format.
      • Message Length: Check against SMS character limits (typically 160 characters for GSM-7, fewer for UCS-2) or let Sinch handle segmentation. Be aware of costs associated with multi-part messages.
      • Sanitization: While less critical for phone numbers, sanitize message content if it includes user-generated input to prevent potential injection attacks if the message content were ever rendered elsewhere (though unlikely for pure SMS). Libraries like DOMPurify (if rendering) or basic escaping might be relevant depending on context. For this API, strict validation is key.

  2. Rate Limiting:

    • Protect your API from abuse and accidental overload. Use middleware like express-rate-limit.
    • Example Implementation (src/app.js):
      bash
      npm install express-rate-limit
      javascript
      // src/app.js
import rateLimit from 'express-rate-limit';
// ... other imports
import express from 'express'; // Ensure express is imported if not already
import dotenv from 'dotenv';
import broadcastRoutes from './routes/broadcastRoutes.js';

dotenv.config();
const app = express();
const port = process.env.PORT || 3000;

app.use(express.json());

// Apply rate limiting BEFORE your routes
const apiLimiter = rateLimit({
    windowMs: 15 * 60 * 1000, // 15 minutes
    max: 100, // Limit each IP to 100 requests per windowMs
    standardHeaders: true, // Return rate limit info in the RateLimit-* headers
    legacyHeaders: false, // Disable the X-RateLimit-* headers
     message: 'Too many requests from this IP, please try again after 15 minutes',
});

app.use('/api', apiLimiter); // Apply the limiter to /api routes

// Basic logging middleware
app.use((req, res, next) =&gt; {
    console.log(`[${new Date().toISOString()}] ${req.method} ${req.url}`);
    next();
});

// Mount Routes AFTER limiter
app.use('/api', broadcastRoutes);

// Basic Error Handler Middleware
app.use((err, req, res, next) =&gt; {
    console.error('Global Error Handler:', err.stack);
    res.status(err.status || 500).json({
        error: {
            message: err.message || 'Something went wrong!',
            stack: process.env.NODE_ENV === 'development' ? err.stack : undefined,
        }
    });
});

app.listen(port, () =&gt; {
    console.log(`Server running on http://localhost:${port}`);
    if (!process.env.SINCH_SERVICE_PLAN_ID || !process.env.SINCH_API_TOKEN || !process.env.SINCH_NUMBER) {
         console.warn('WARN: Missing one or more required Sinch environment variables (ID, TOKEN, NUMBER). API calls may fail.');
    }
});

export default app;

  3. API Key Security:

    • Already handled using .env and .gitignore.
    • In production, use your hosting provider's secret management system (e.g., AWS Secrets Manager, GCP Secret Manager, Heroku Config Vars).

  4. HTTPS:

    • Always run your production application behind a reverse proxy (like Nginx or Caddy) or use a platform (like Heroku, Vercel, AWS Elastic Beanstalk) that terminates SSL/TLS, ensuring all communication is encrypted via HTTPS. Don't run plain HTTP in production.

  5. Authentication/Authorization (Optional):

    • If this API needs protection, implement an authentication strategy (e.g., API Keys for machine clients, JWT for users) to ensure only authorized clients can trigger broadcasts. This is outside the scope of this basic guide but crucial for many real-world applications.

8. Handling SMS Encoding, Character Limits, and Special Cases

  • Phone Number Formatting: Always normalize and validate numbers to E.164 format (+ followed by country code and number, no spaces or dashes) before sending to Sinch.

  • Message Encoding & Length:

    • GSM-7 Encoding: Standard SMS encoding supports 160 characters per message. A single GSM-7 message allows 160 characters because SMS messages contain 140 8-bit octets: (140 × 8) / 7 = 160. The GSM-7 encoding uses 7 bits per character to encode only characters from Western European languages (including numbers and some punctuation).
    • Multi-part GSM-7 Messages: When messages exceed 160 characters, extra data (User Data Header/UDH) reduces the per-segment size to 153 GSM-7 characters per segment.
    • UCS-2 Encoding: Using non-standard characters (like emojis or certain accented letters) switches encoding to UCS-2, which uses 16 bits per character and reduces the limit to 70 characters per segment. As an SMS message is transmitted in 140 octets, a message encoded in UCS-2 has a maximum of 70 characters: (140 × 8) / (2 × 8) = 70.
    • Multi-part UCS-2 Messages: A multi-part UCS-2 message allows 67 characters per segment.
    • Automatic Encoding Detection: If any character in a message cannot be encoded with GSM-7, UCS-2 will be used for the entire message. Text editors might automatically add smart quotes or non-standard punctuation which looks similar to GSM-7 but is a different Unicode character, triggering UCS-2 encoding.
    • Long messages are automatically split (segmented) by carriers, and you are billed for each segment. Be mindful of message length. Sinch handles segmentation, but inform users or truncate if necessary.

  • Internationalization: The E.164 format inherently handles country codes. Ensure your SINCH_NUMBER is enabled for international sending if broadcasting globally. Handle message content localization in your application logic before calling the API.

  • Delivery Reports (DLRs):

    • Sinch can send delivery status updates via webhooks. This requires:
      1. Setting delivery_report: 'full' (or 'summary' or 'none') in the /batches payload to request detailed delivery reports.
      2. Configuring a webhook URL in your Sinch API settings.
      3. Building another endpoint in your Express app to receive these POST requests from Sinch.
    • Processing DLRs allows tracking message success/failure rates but adds complexity.

9. Implementing Performance Optimizations for Bulk SMS

  • Batching (Already Implemented): Using the /batches endpoint is the single most significant optimization for bulk sending, reducing network latency and API call overhead compared to sending individual messages.

  • Asynchronous Processing (Advanced): For very large broadcasts (tens of thousands or more), the API call to Sinch might take noticeable time, potentially holding up the HTTP request. Consider:

    1. Accept the request quickly (202 Accepted).
    2. Push the broadcast job (recipients, message) onto a message queue (e.g., RabbitMQ, Redis BullMQ, AWS SQS).
    3. Have separate worker processes consume jobs from the queue and call the sinchService.
    • This decouples the API request from the actual sending process, improving API responsiveness but requiring additional infrastructure.

  • Database Query Optimization: If fetching recipients from a database, ensure your queries are efficient (proper indexing on phone_number, is_active, etc.). Fetch only the necessary data (phone_number).

  • Node.js Performance: Ensure non-blocking I/O is used (which axios and standard Node.js operations do). Avoid CPU-bound tasks on the main event loop thread for high-throughput scenarios.

10. Adding Monitoring, Observability, and Analytics

For production readiness, visibility into your application's health and performance is vital.

  • Health Checks: Add a simple endpoint (e.g., /healthz) that returns a 200 OK status. Monitoring systems can ping this to verify the service is running.

  • Metrics: Track key performance indicators (KPIs):

    • Request rate and latency for the /api/broadcast endpoint.
    • Error rates (overall and specifically for Sinch API calls).
    • Number of recipients per broadcast request.
    • Sinch API call duration.
    • Tools: Use libraries like prom-client to expose metrics in Prometheus format, then visualize them in Grafana. Cloud providers often have integrated monitoring solutions.

  • Error Tracking: Integrate an error tracking service like Sentry or Datadog APM. These automatically capture unhandled exceptions, provide detailed stack traces, context, and alerting.

    • Example (app.js with Sentry – conceptual):
      bash
      npm install @sentry/node @sentry/tracing
      javascript
      // src/app.js
import express from 'express';
import dotenv from 'dotenv';
import * as Sentry from '@sentry/node';
import * as Tracing from '@sentry/tracing';
import broadcastRoutes from './routes/broadcastRoutes.js';

dotenv.config();
const app = express();
const port = process.env.PORT || 3000;

// Initialize Sentry *before* anything else
Sentry.init({
  dsn: process.env.SENTRY_DSN, // Get DSN from Sentry project settings
  integrations: [
    new Sentry.Integrations.Http({ tracing: true }), // Enable HTTP tracing
    new Tracing.Integrations.Express({ app }),      // Enable Express tracing
  ],
  tracesSampleRate: 1.0, // Adjust sampling rate in production
  environment: process.env.NODE_ENV || 'development',
});

// Sentry Request Handler – *must* be the first middleware
app.use(Sentry.Handlers.requestHandler());
// Sentry Tracing Handler – *before* any routes
app.use(Sentry.Handlers.tracingHandler());

// Your regular middleware
app.use(express.json());

// Basic logging middleware (optional)
app.use((req, res, next) =&gt; {
    console.log(`[${new Date().toISOString()}] ${req.method} ${req.url}`);
    next();
});

// Your routes
app.use('/api', broadcastRoutes);

// Sentry Error Handler – *must* be before any other error handler
// but *after* all controllers
app.use(Sentry.Handlers.errorHandler());

// Your optional custom error handler (falls back after Sentry)
app.use((err, req, res, next) =&gt; {
   console.error('Global Error Handler:', err.stack);
   // The error id is attached to `res.sentry`
   const errorMsg = `Something went wrong! Ref: ${res.sentry || 'N/A'}`;
   res.status(err.status || 500).json({
       error: {
           message: err.message || errorMsg,
           ref: res.sentry
       }
   });
});

app.listen(port, () =&gt; {
    console.log(`Server running on http://localhost:${port}`);
    if (!process.env.SINCH_SERVICE_PLAN_ID || !process.env.SINCH_API_TOKEN || !process.env.SINCH_NUMBER) {
         console.warn('WARN: Missing one or more required Sinch environment variables (ID, TOKEN, NUMBER). API calls may fail.');
    }
});

export default app;

  • Logging (Revisited): Ensure production logs are collected, aggregated (e.g., ELK stack, Datadog Logs, Papertrail), and searchable for troubleshooting.

11. Troubleshooting Common Sinch API Issues

  • Common Sinch Errors (Check error.response.data):

    • 401 Unauthorized: Invalid API_TOKEN or SERVICE_PLAN_ID. Double-check credentials in .env and the Sinch dashboard. Verify you're using the correct authentication method for your region (OAuth2 for US/EU, API Token for all regions).
    • 400 Bad Request: Often due to invalid phone number format (ensure E.164), missing required fields (from, to, body), or issues with the SINCH_NUMBER (e.g., not provisioned correctly). Check the detailed error message from Sinch.
    • 403 Forbidden: The SINCH_NUMBER might not be allowed to send messages to a specific region, or the account might have restrictions.
    • 429 Too Many Requests: You've exceeded rate limits. Each service plan has a rate limit for messages sent per second. The rate limit is calculated from all messages sent via the API, with a batch of 10 recipients counting as 10 messages for rate limiting purposes.
    • 5xx Server Error: Temporary issue on Sinch's side. Consider implementing retries with backoff for these.

  • Rate Limits:

    • Batch Request Limits: There's a 1,000-message limit per request with a maximum limit of 700 requests per second per IP address.
    • Status Query Limits: Status queries have a rate limit of 1 request per second per IP address. Requests beyond this limit receive HTTP status code 429.
    • Both your own API (if you implement rate limiting) and the Sinch API have rate limits. Handle 429 Too Many Requests errors appropriately (e.g., by slowing down requests or using backoff).

  • Character Encoding: Be mindful of GSM-7 (160 chars) vs. UCS-2 (70 chars) encoding and character limits per SMS segment. Multi-part messages use 153 chars (GSM-7) or 67 chars (UCS-2) per segment.

  • Delivery Status: Remember that a successful API response (202 Accepted with a batch_id) only means Sinch accepted the batch, not that messages were delivered. Use Delivery Reports (Webhooks) for actual delivery confirmation.

  • Cost: Sending SMS messages incurs costs. Understand Sinch's pricing model, especially for segmented messages and international sending. Monitor your usage.

  • Regulations: Be aware of SMS regulations in the countries you're sending to (e.g., opt-in requirements, sending times, content restrictions). Compliance is crucial.

Frequently Asked Questions About Sinch Bulk SMS with Node.js

How do I send bulk SMS messages with Sinch API in Node.js?

Use the Sinch /batches endpoint (/xms/v1/&#123;service_plan_id&#125;/batches) with a POST request containing an array of recipient phone numbers in the to field. Install the required packages (express, axios, dotenv), configure your environment variables with your Sinch credentials (SERVICE_PLAN_ID, API_TOKEN, SINCH_NUMBER), and send a request with the payload structure: &#123; from: SINCH_NUMBER, to: [recipients], body: messageBody &#125;. This guide provides a complete implementation.

What are the Sinch SMS API rate limits for bulk broadcasting?

Sinch SMS API has a 1,000-message limit per request with a maximum of 700 requests per second per IP address. Status queries are limited to 1 request per second per IP. Each service plan has a rate limit for messages sent per second, and the rate limit calculation treats a batch of 10 recipients as 10 messages. Exceeding these limits results in HTTP 429 (Too Many Requests) errors.

What's the difference between GSM-7 and UCS-2 SMS encoding?

GSM-7 encoding supports 160 characters per message (or 153 per segment for multi-part messages) and uses 7 bits per character for Western European languages. UCS-2 encoding supports 70 characters per message (or 67 per segment) and uses 16 bits per character for Unicode characters including emojis. If any character requires UCS-2, the entire message uses UCS-2 encoding, potentially increasing costs due to more segments.

Which Sinch regional endpoints are available and how do I choose?

Sinch provides 5 regional endpoints: US (us.sms.api.sinch.com), EU (eu.sms.api.sinch.com), AU (au.sms.api.sinch.com), BR (br.sms.api.sinch.com), and CA (ca.sms.api.sinch.com). Choose the endpoint matching your Sinch account's region (check your dashboard). US and EU support OAuth2 authentication, while all regions support API Token authentication.

How do I validate phone numbers for Sinch SMS in E.164 format?

Use a regular expression to validate E.164 format: /^\+[1-9]\d&#123;1,14&#125;$/. This ensures numbers start with +, followed by country code and subscriber number (1-14 digits total), with no spaces or dashes. Example valid numbers: +12025550147 (US), +447700900123 (UK). Sinch requires E.164 format for all recipient phone numbers in the to array.

What does the Sinch batches endpoint dry run feature do?

The Sinch /batches endpoint dry run feature calculates message bodies and the number of message parts (segments) without actually sending any SMS messages. Set the dry run parameter in your batch request to test message segmentation, validate encoding (GSM-7 vs UCS-2), and estimate costs before sending. This is useful for testing and cost estimation.

How do I track SMS delivery status with Sinch webhooks?

Configure delivery reports by setting delivery_report: 'full' (or 'summary') in your /batches payload, then configure a webhook URL in your Sinch dashboard. Build an Express endpoint to receive POST requests from Sinch containing delivery status updates (delivered, failed, undelivered). The webhook receives the batch_id and status for each message, allowing you to track delivery success rates.

What's the difference between feedback_enabled and delivery_report in Sinch?

feedback_enabled allows you to provide feedback to Sinch on whether messages were successfully delivered based on your application logic. delivery_report requests Delivery Receipt Reports (DLRs) via webhooks from Sinch for actual carrier delivery status. Use delivery_report for tracking delivery success and feedback_enabled when you have additional delivery confirmation logic in your application.

How do I handle Sinch API authentication errors (401 Unauthorized)?

A 401 error indicates invalid credentials. Verify your SINCH_SERVICE_PLAN_ID and SINCH_API_TOKEN in your .env file match your Sinch dashboard (SMS > APIs section). Ensure you're using the correct authentication method for your region: OAuth2 for US/EU regions, or API Token authentication for all regions including BR, AU, and CA. Check that your Authorization: Bearer $&#123;API_TOKEN&#125; header is properly formatted.

What's the best way to implement retry logic for Sinch API failures?

Implement exponential backoff for transient errors (5xx, network issues, 429 rate limits). Wait progressively longer between retries (e.g., 1s, 2s, 4s, 8s) up to a maximum number of attempts (typically 3-5). Do not retry 4xx client errors (invalid numbers, authentication failures). Use libraries like axios-retry to simplify implementation. Consider using a message queue (RabbitMQ, AWS SQS) for critical broadcasts requiring guaranteed delivery.

How much does it cost to send bulk SMS with Sinch?

Sinch uses pay-as-you-go pricing with costs per message segment. Pricing varies by destination country and message type. Multi-part messages (longer than 160 GSM-7 or 70 UCS-2 characters) incur multiple segment charges. International messages typically cost more than domestic. Check Sinch's pricing page (https://sinch.com/pricing/sms/) for current rates by country, and monitor your Sinch dashboard for usage tracking.

Can I use this Express implementation with Next.js API routes?

While this guide uses Express, you can adapt the core logic for Next.js API routes. Create a file in pages/api/broadcast.js (or app/api/broadcast/route.js for App Router), export a handler function that processes the request, and use the same Sinch service logic. Key differences: Next.js uses serverless functions with different request/response objects, no Express middleware, and potentially different environment variable handling. The Sinch API integration remains the same.

Frequently Asked Questions

Use the Sinch SMS REST API with a Node.js Express app. This allows you to send a single message to multiple recipients by making a POST request to the /batches endpoint. The request should include an array of phone numbers and the message content. This approach is significantly more efficient than sending individual messages and allows for scalable broadcasts.

The Sinch /batches endpoint is designed for efficient bulk SMS messaging. It enables sending the same SMS message to multiple recipients in a single API call, rather than sending numerous individual messages, thus optimizing performance and cost-effectiveness. It expects an array of recipient phone numbers and the message body in the request payload.

Store your Sinch SERVICE_PLAN_ID, API_TOKEN, SINCH_NUMBER, and SINCH_BASE_URL as environment variables in a .env file. Use the dotenv package in your Node.js project to load these variables into your application's environment. This practice keeps your credentials out of your codebase, enhancing security.

Bulk SMS sending leverages Sinch's optimized infrastructure to deliver messages to multiple recipients with a single API call. This reduces overhead compared to iteratively sending individual messages, resulting in improved speed and efficiency. The Sinch /batches endpoint is specifically designed for this type of broadcast.

Consider a message queue for high-volume bulk SMS sending, typically for broadcasts reaching tens of thousands of recipients or more. Queuing decouples the API request from the actual SMS delivery process, enabling your application to handle requests quickly without being slowed down by the time it takes to submit the batch to the Sinch API.

Always use the E.164 format for recipient phone numbers when sending SMS messages via the Sinch API. This international standard includes a plus sign (+), the country code, and the subscriber number without any spaces or dashes (e.g., +12025550147). Proper formatting is crucial for successful delivery.

Yes, you can enable delivery reports (DLRs) in your Sinch API requests and configure a webhook URL in your Sinch account settings. Sinch will then send POST requests to your specified webhook URL with delivery updates for each message. This allows you to track successful deliveries, failures, and other delivery statuses.

Implement robust error handling by catching potential errors from Axios when making requests to the Sinch API. Inspect the error object, specifically error.response.data for detailed information provided by Sinch about the issue. Handle different error codes (4xx, 5xx) appropriately, providing informative error messages and potentially retrying requests for transient errors.

Log key information such as incoming request details, successful batch submissions with batch IDs, and any errors encountered. For errors, include detailed information from the Sinch API response, such as status codes and error messages. Use a structured logging format, like JSON, for easier parsing and analysis in production environments.

Use the express package in Node.js to create an app, define routes, and handle requests. Set up middleware to parse JSON request bodies (app.use(express.json())). Define an API endpoint, such as /api/broadcast, to handle the incoming requests for sending bulk SMS messages. Include error handling middleware to catch and process errors gracefully.

Axios is a promise-based HTTP client used to make HTTP requests to the Sinch API from your Node.js application. It simplifies the process of making API calls, handling responses, and managing asynchronous operations. Axios also provides features for handling errors and network issues.

Protect your API keys by storing them in environment variables (.env) and excluding this file from version control (.gitignore). Implement input validation and sanitization to prevent invalid data from reaching the Sinch API. Consider using rate limiting to protect against abuse. Run your app behind HTTPS and implement authentication/authorization if needed.

Common errors include 401 Unauthorized (check API credentials), 400 Bad Request (verify phone numbers, request body), 403 Forbidden (check number permissions), and 5xx Server Errors (retry with backoff). Carefully inspect error.response.data for detailed error messages from Sinch to diagnose and resolve issues.

Create a clear project structure with directories like src/, controllers/, routes/, services/. This promotes maintainability. The src/app.js file initializes the Express app, controllers handle request logic, routes define endpoints, and services encapsulate API interaction logic.