Send SMS and Handle Delivery Status Callbacks with Node.js, Express, and Vonage

This guide provides a complete walkthrough for building a Node.js application using the Express framework to send SMS messages via the Vonage Messages API and handle incoming messages and delivery status updates through webhooks. We will cover project setup, Vonage configuration, core implementation, testing, and best practices for a production-ready solution.

By the end of this tutorial, you will have a functional Node.js server capable of:

Sending SMS messages programmatically.
Receiving inbound SMS messages sent to your Vonage number.
Receiving delivery status updates for messages you've sent.

This enables you to build applications that require reliable SMS communication and status tracking, such as notification systems, two-factor authentication (2FA), or customer support channels.

Project Overview and Goals

We aim to create a robust backend service that leverages the Vonage Messages API for SMS communication. The key challenge this solves is integrating reliable, two-way SMS functionality into a Node.js application, including the crucial aspect of knowing whether a sent message was actually delivered.

Technologies Used:

Node.js: A JavaScript runtime environment for building server-side applications.
Express: A minimal and flexible Node.js web application framework used to create our webhook endpoints.
Vonage Messages API: A unified API for sending and receiving messages across various channels (SMS, MMS, WhatsApp, etc.). We will focus on SMS.
@vonage/server-sdk: The official Vonage Node.js SDK for interacting with Vonage APIs.
dotenv: A module to load environment variables from a .env file for secure configuration management.
ngrok: A tool to expose local development servers to the internet, necessary for testing Vonage webhooks.

System Architecture:

+-------------------+      +---------------------+      +-------------------+
| Your Application  |-----&gt;| Vonage Messages API |-----&gt;| Carrier Network   |-----&gt; User's Phone
| (Node.js/Express)|      | (Send SMS Request)  |      |                   |
+-------------------+      +---------------------+      +-------------------+
        ^  |                        |  ^
        |  | (Webhook Callbacks)    |  | (Delivery Status / Inbound SMS)
        |  +------------------------+  |
        |                              |
+-------------------+      +---------------------+
| ngrok Tunnel      |&lt;-----| Vonage Platform     |
| (For Development) |      | (Webhook Dispatch)  |
+-------------------+      +---------------------+

Prerequisites:

A Vonage API account (Sign up here).
Node.js and npm (or yarn) installed on your machine (Download Node.js).
A Vonage virtual phone number capable of sending/receiving SMS. You can get one from the Vonage Dashboard.
ngrok installed and authenticated (Download ngrok). A free account is sufficient.

Final Outcome:

You will have two main components:

A script (send-sms.js) to send an SMS message via Vonage.
An Express server (server.js) listening for incoming webhook requests from Vonage for inbound messages and delivery status updates.

1. Setting Up the Project

Let's create the project structure and install the necessary dependencies.

1. Create Project Directory: Open your terminal and create a new directory for your project_ then navigate into it.

mkdir vonage-sms-callbacks
cd vonage-sms-callbacks

2. Initialize Node.js Project: Initialize a package.json file.

npm init -y

(This accepts default settings. Feel free to omit -y to customize.)

3. Install Dependencies: We need the Express framework_ the Vonage SDK_ and dotenv for managing environment variables.

npm install express @vonage/server-sdk dotenv --save

express: Web framework for handling webhook requests.
@vonage/server-sdk: To interact with the Vonage APIs.
dotenv: To load credentials securely from a .env file.

4. Create Project Files: Create the main files we'll be working with.

touch .env server.js send-sms.js .gitignore

.env: Stores sensitive credentials (API keys_ application ID_ etc.).
server.js: Runs the Express server to listen for webhooks.
send-sms.js: Contains the logic to send an SMS message.
.gitignore: Specifies files/directories that Git should ignore (like .env and node_modules).

5. Configure .gitignore: Add the following lines to your .gitignore file to prevent committing sensitive information and unnecessary files:

# .gitignore

node_modules
.env
private.key
*.log

6. Set Up Environment Variables (.env): Open the .env file and prepare it for your Vonage credentials. We'll fill these in later.

# .env - Fill these values in later

# Vonage API Credentials (Found in Vonage Dashboard -&gt; API Settings)
VONAGE_API_KEY=YOUR_VONAGE_API_KEY
VONAGE_API_SECRET=YOUR_VONAGE_API_SECRET

# Vonage Application ID (Generated in Step 2)
VONAGE_APPLICATION_ID=YOUR_VONAGE_APPLICATION_ID

# Path to your Vonage Application private key file (Downloaded in Step 2)
VONAGE_PRIVATE_KEY_PATH=./private.key

# Your Vonage virtual number (e.g., 14155550100)
VONAGE_NUMBER=YOUR_VONAGE_NUMBER

# Recipient phone number for testing (e.g., 14155550101)
TO_NUMBER=RECIPIENT_PHONE_NUMBER

# Port for the local Express server
PORT=3000

Why .env? Storing credentials directly in code is insecure. Using environment variables loaded from .env (which is gitignored) keeps secrets out of your source control. dotenv makes this easy in development. In production, you'd typically set these variables directly in your hosting environment.

2. Vonage Application and Webhook Configuration

To use the Messages API for sending and receiving callbacks, you need a Vonage Application. This application acts as a container linking your API key, a private key for authentication, your virtual number, and the webhook URLs Vonage should call.

1. Set Default SMS API to Messages API:

Log in to the Vonage API Dashboard.
Navigate to API Settings in the left-hand menu.
Scroll down to the SMS settings section.
Ensure the Default SMS Setting is set to Messages API. If not, select it and click Save changes.
- Why? Vonage has two SMS APIs (SMS API and Messages API). They use different webhook formats and configurations. This guide uses the newer Messages API, so setting it as the default ensures consistency.

2. Run ngrok: Before creating the Vonage Application, you need a publicly accessible URL for your local server's webhooks. ngrok provides this. Open a new terminal window and run:

ngrok http 3000

(Replace 3000 if you chose a different port in .env)

ngrok will display output similar to this:

Session Status                online
Account                       Your Name (Plan: Free)
Version                       x.x.x
Region                        United States (us)
Web Interface                 http://127.0.0.1:4040
Forwarding                    https://<random-string&gt;.ngrok-free.app -&gt; http://localhost:3000

Connections                   ttl     opn     rt1     rt5     p50     p90
                              0       0       0.00    0.00    0.00    0.00

Copy the https://<random-string>.ngrok-free.app URL. This is your public base URL. Keep this terminal window running.

3. Create a Vonage Application:

In the Vonage Dashboard, navigate to Applications > Create a new application.
Enter an Application name (e.g., Node SMS Callbacks App).
Click Generate public and private key. This will automatically download a file named private.key. Save this file in your project's root directory (the same place as server.js). This key is used by the SDK to authenticate requests for this application.
Under Capabilities, find Messages and toggle it ON.
Two fields will appear: Inbound URL and Status URL.
- Inbound URL: Paste your ngrok Forwarding URL and append /webhooks/inbound. Example: https://<random-string>.ngrok-free.app/webhooks/inbound
- Status URL: Paste your ngrok Forwarding URL and append /webhooks/status. Example: https://<random-string>.ngrok-free.app/webhooks/status
- Why these URLs? The Inbound URL is where Vonage sends data when your Vonage number receives an SMS. The Status URL is where Vonage sends delivery receipt updates for messages you send.
Leave other capabilities off for now.
Click Generate new application.
You'll be taken to the application's page. Copy the Application ID displayed near the top.

4. Link Your Vonage Number:

On the application's page (or by going back to Applications and clicking your app name), scroll down to the Linked numbers section.
Click Link next to the Vonage virtual number you want to use for sending and receiving SMS with this application.
Confirm the linking.

5. Update .env File: Now, open your .env file and fill in the values you obtained:

# .env - Update with your actual values

VONAGE_API_KEY=YOUR_VONAGE_API_KEY # From Dashboard API Settings
VONAGE_API_SECRET=YOUR_VONAGE_API_SECRET # From Dashboard API Settings
VONAGE_APPLICATION_ID=YOUR_COPIED_APPLICATION_ID # From Step 3
VONAGE_PRIVATE_KEY_PATH=./private.key # Should be correct if saved in root
VONAGE_NUMBER=YOUR_VONAGE_VIRTUAL_NUMBER # e.g., 14155550100
TO_NUMBER=YOUR_TEST_RECIPIENT_PHONE_NUMBER # e.g., 14155550101
PORT=3000

Ensure VONAGE_PRIVATE_KEY_PATH correctly points to where you saved the private.key file.

3. Implementing Core Functionality: Sending SMS

Let's write the code to send an SMS message using the Vonage SDK and the credentials associated with your Application.

File: send-sms.js

// send-sms.js
require('dotenv').config(); // Load environment variables from .env file
const fs = require('fs'); // Require Node.js file system module to read the private key

const { Vonage } = require('@vonage/server-sdk');
// Note: Messages capability is accessed via the main Vonage instance

// --- Configuration ---
const vonageApiKey = process.env.VONAGE_API_KEY;
const vonageApiSecret = process.env.VONAGE_API_SECRET;
const vonageApplicationId = process.env.VONAGE_APPLICATION_ID;
const vonagePrivateKeyPath = process.env.VONAGE_PRIVATE_KEY_PATH;
const vonageNumber = process.env.VONAGE_NUMBER;
const toNumber = process.env.TO_NUMBER;

// --- Input Validation (Basic) ---
if (!vonageApiKey || !vonageApiSecret || !vonageApplicationId || !vonagePrivateKeyPath || !vonageNumber || !toNumber) {
    console.error('Error: Missing required environment variables. Check your .env file.');
    process.exit(1); // Exit if configuration is incomplete
}

let privateKey;
try {
    privateKey = fs.readFileSync(vonagePrivateKeyPath);
} catch (err) {
    console.error(`Error reading private key file at path: ${vonagePrivateKeyPath}`);
    console.error(err.message);
    process.exit(1); // Exit if private key cannot be read
}

// --- Initialize Vonage Client ---
// Note: For Messages API with Application ID and Private Key,
// you initialize the main Vonage client slightly differently.
// The API Key and Secret are used for authentication along with the Application ID and Private Key.
const vonage = new Vonage({
  apiKey: vonageApiKey,
  apiSecret: vonageApiSecret, // Secret is still needed for some auth mechanisms, like signed webhooks
  applicationId: vonageApplicationId,
  privateKey: privateKey
});

// --- Define the send SMS function ---
async function sendSms() {
    console.log(`Attempting to send SMS from ${vonageNumber} to ${toNumber}...`);

    try {
        // Use vonage.messages.send() for the Messages API
        const resp = await vonage.messages.send({
            message_type: "text",
            text: "Hello from Vonage and Node.js!",
            to: toNumber,
            from: vonageNumber,
            channel: "sms"
        });

        console.log('SMS Sent Successfully!');
        console.log('Message UUID:', resp.messageUuid); // Access the UUID correctly

    } catch (err) {
        console.error('Error sending SMS:');
        if (err.response?.data) {
            // Log detailed Vonage API error if available
            console.error('Vonage API Error:', JSON.stringify(err.response.data, null, 2));
        } else {
            // Log the general error object
            console.error(err);
        }
    }
}

// --- Execute the function ---
sendSms();

Explanation:

Load Env Vars & FS: Loads .env variables and the Node.js fs module.
Configuration: Reads all necessary variables from process.env.
Basic Validation: Checks if required environment variables are set.
Read Private Key: Reads the private key file content using fs.readFileSync. Includes error handling if the file is missing or unreadable.
Initialize Vonage Client: Creates a Vonage instance, passing the API key, secret, application ID, and the content of the private key.
sendSms Function:
- Defines an async function to handle the asynchronous API call.
- Uses vonage.messages.send() which is the correct method for the Messages API.
- Constructs the message payload specifying message_type, text, to, from, and channel.
- Uses a try...catch block for error handling.
- Logs the messageUuid from the successful response (resp.messageUuid).
- Logs detailed error information if the API call fails.
Execute: Calls the sendSms function to initiate the process.

4. Building the Webhook Server

Now, set up the Express server to listen for incoming webhook calls from Vonage.

File: server.js

// server.js
require('dotenv').config();
const express = require('express');

const app = express();

// Vonage needs to POST JSON data to the webhooks
app.use(express.json());
// Sometimes data might be URL-encoded (less common for Messages API webhooks)
app.use(express.urlencoded({ extended: true }));

const PORT = process.env.PORT || 3000; // Use port from .env or default to 3000

// --- Webhook Endpoints ---

// Endpoint for Inbound SMS Messages
app.post('/webhooks/inbound', (req, res) =&gt; {
  console.log('--- Inbound SMS Received ---');
  console.log('From:', req.body.from?.number || req.body.from); // Handle potential structure variations
  console.log('To:', req.body.to?.number || req.body.to);
  console.log('Message:', req.body.message?.content?.text || req.body.text); // Handle potential structure variations
  console.log('Full Body:', JSON.stringify(req.body, null, 2));
  console.log('--------------------------\n');

  // Vonage requires a 200 OK response to acknowledge receipt of the webhook
  res.status(200).end();
});

// Endpoint for Delivery Status Updates
app.post('/webhooks/status', (req, res) =&gt; {
  console.log('--- Delivery Status Update ---');
  console.log('Message UUID:', req.body.message_uuid);
  console.log('Status:', req.body.status);
  console.log('Timestamp:', req.body.timestamp);
  if (req.body.error) {
    console.error('Error Code:', req.body.error.code);
    console.error('Error Reason:', req.body.error.reason);
  }
  console.log('Full Body:', JSON.stringify(req.body, null, 2));
  console.log('--------------------------\n');

  // Acknowledge receipt
  res.status(200).end();
});

// --- Server Start ---
app.listen(PORT, () =&gt; {
  console.log(`Server listening for webhooks at http://localhost:${PORT}`);
  console.log('Ensure ngrok is running and configured in the Vonage Dashboard:');
  console.log('Inbound URL: /webhooks/inbound');
  console.log('Status URL: /webhooks/status');
});

Explanation:

Load Env Vars: require('dotenv').config(); loads the variables from .env.
Initialize Express: const app = express(); creates the Express application.
Middleware:
- app.use(express.json());: Parses incoming requests with JSON payloads (which Vonage uses for webhooks).
- app.use(express.urlencoded({ extended: true }));: Parses incoming requests with URL-encoded payloads.
Webhook Endpoints:
- app.post('/webhooks/inbound', ...): Defines a handler for POST requests to the /webhooks/inbound path. It logs relevant information from the request body (req.body).
- app.post('/webhooks/status', ...): Defines a handler for POST requests to the /webhooks/status path. It logs the delivery status information.
- res.status(200).end();: This is critical. Vonage expects a 200 OK response quickly to acknowledge receipt. Failure to send this promptly will cause Vonage to retry the webhook.
Start Server: app.listen(PORT, ...) starts the server on the specified port.

5. Implementing Proper Error Handling and Logging

The current code includes basic console.log statements. For production, you'd want more robust logging and error handling.

Error Handling (send-sms.js):

The try...catch block in the updated send-sms.js already handles errors during the API call more robustly. You can enhance this further:

// Example enhancement in send-sms.js catch block (already improved in Section 3)
// ... inside the catch block ...
    console.error("Error sending SMS:"); // Use standard quotes
    // Log specific Vonage error details if available
    if (err.response?.data) {
        console.error("Vonage Error:", JSON.stringify(err.response.data, null, 2)); // Use standard quotes
    } else {
        console.error(err); // Log the generic error
    }
    // Implement retry logic here if needed (e.g., for network errors)
    // Send error notification (e.g., to Sentry, Datadog)
// ...

Logging (server.js):

Replace console.log with a dedicated logging library like winston or pino for structured logging, different log levels (info, warn, error), and log rotation.

npm install winston --save

// Example using Winston in server.js (simplified)
const winston = require('winston');

const logger = winston.createLogger({
  level: 'info',
  format: winston.format.json(),
  transports: [
    new winston.transports.Console({ format: winston.format.simple() }),
    // Add file transport for production
    // new winston.transports.File({ filename: 'error.log', level: 'error' }),
    // new winston.transports.File({ filename: 'combined.log' }),
  ],
});

// Replace console.log with logger.info, logger.warn, logger.error
// e.g., inside /webhooks/inbound
// logger.info('--- Inbound SMS Received ---');
// logger.info(`From: ${req.body.from?.number || req.body.from}`);
// ...etc.

// In case of webhook processing error:
// try { /* process webhook */ } catch (error) {
//   logger.error('Error processing inbound webhook:', error);
//   res.status(500).end(); // Respond with an error, but be cautious as Vonage might retry
// }

app.listen(PORT, () =&gt; {
  logger.info(`Server listening for webhooks at http://localhost:${PORT}`);
  // ...
});

Retry Mechanisms (Vonage):

Webhook Retries: Vonage automatically retries webhook delivery if it doesn't receive a 200 OK. Ensure your webhook endpoints respond quickly. Offload time-consuming processing.
Sending Retries: For sending SMS, implement your own retry logic within the .catch block in send-sms.js if necessary (e.g., for transient network errors), potentially using exponential backoff.

6. Database Schema and Data Layer (Conceptual)

This guide focuses on the core integration. In a real application, you would store message details and status updates in a database.

Conceptual Schema (e.g., PostgreSQL):

CREATE TABLE sms_messages (
    message_uuid UUID PRIMARY KEY, -- Vonage Message UUID
    vonage_number VARCHAR(20) NOT NULL,
    recipient_number VARCHAR(20) NOT NULL,
    message_text TEXT,
    direction VARCHAR(10) NOT NULL, -- 'outbound' or 'inbound'
    status VARCHAR(20) DEFAULT 'submitted', -- e.g., submitted, delivered, failed, rejected
    vonage_status_timestamp TIMESTAMPTZ, -- Timestamp from status webhook
    error_code VARCHAR(10),
    error_reason TEXT,
    created_at TIMESTAMPTZ DEFAULT NOW(),
    updated_at TIMESTAMPTZ DEFAULT NOW()
);

-- Index for querying by status or recipient
CREATE INDEX idx_sms_messages_status ON sms_messages(status);
CREATE INDEX idx_sms_messages_recipient ON sms_messages(recipient_number);

Data Layer Implementation:

Use an ORM (like Prisma, Sequelize, TypeORM) or a query builder (like Knex.js).
Sending: After vonage.messages.send() succeeds, insert a record with direction='outbound', status='submitted', and the message_uuid.
Status Webhook: Find the message by message_uuid and update its status, vonage_status_timestamp, etc.
Inbound Webhook: Insert a new record with direction='inbound', status='delivered', and details from the payload.

7. Adding Security Features

Secure Credential Management: Handled via .env and .gitignore. Use environment variables or secrets management in production. Never commit secrets.
Webhook Signature Verification (Recommended for Production): Vonage signs Messages API webhook requests using HMAC-SHA256 with your API Secret, allowing verification.
- Look for the X-Vonage-Signature header in incoming webhook requests.
- You'll need to generate the signature yourself using the request body and your VONAGE_API_SECRET and compare it to the header value.
- This prevents attackers from sending fake webhooks to your endpoints.
- Consult the Vonage Developer Documentation for the precise steps to implement signed webhook verification for the Messages API. The @vonage/server-sdk may offer utilities, but manual implementation might be needed. Implementing this is crucial for production security.
Input Validation: Validate any user input if you build layers on top of this service.
Rate Limiting: Apply rate limiting to public-facing endpoints, generally not needed for Vonage webhooks themselves.
HTTPS: ngrok provides HTTPS. Ensure your production deployment uses HTTPS for webhook URLs.

8. Handling Special Cases

Character Encoding: The Messages API and SDK handle standard and Unicode characters (like emojis) correctly with type: 'text'.
Multipart Messages: Long SMS are automatically split. The Messages API treats them as one logical message. Delivery receipts might arrive per part or for the whole message.
Delivery Statuses: Handle various statuses: submitted, rejected, failed, expired, delivered.
Number Formatting: Use E.164 format (e.g., +14155550101) for TO_NUMBER and FROM_NUMBER for best results, especially internationally.
Throttling: Respect Vonage API rate limits. Implement delays or queues for bulk sending.

9. Implementing Performance Optimizations

Fast Webhook Responses: Respond 200 OK immediately. Offload slow processing (DB writes, external calls) to background jobs (e.g., bullmq, agenda, AWS SQS).
Database Indexing: Index database tables (like sms_messages) on frequently queried columns (message_uuid, status, numbers).
Resource Usage: Monitor Node.js memory/CPU. Use tools like pm2 for process management and clustering.

10. Adding Monitoring, Observability, and Analytics

Health Checks: Add a /health endpoint returning 200 OK.
Structured Logging: Use Winston/Pino with JSON format for log aggregation (Datadog, Splunk, ELK).
Error Tracking: Integrate Sentry, Bugsnag, etc., to capture unhandled exceptions.
Metrics: Track SMS sent/failed, inbound received, webhook response times, status counts. Use Prometheus/Grafana, Datadog APM.
Dashboards: Visualize key metrics for system health and activity.

11. Troubleshooting and Caveats

Incorrect Credentials/IDs: Double-check VONAGE_API_KEY, VONAGE_API_SECRET, VONAGE_APPLICATION_ID, VONAGE_PRIVATE_KEY_PATH in .env. Ensure the private key file exists and is readable.
ngrok Issues:
- Ensure ngrok runs and points to the correct local port (3000).
- Verify the ngrok Forwarding URL in the Vonage Application webhook settings is current (it changes on restart for free accounts).
- Check the ngrok web interface (http://127.0.0.1:4040) for requests/errors.
Firewall: Ensure your local firewall allows incoming connections on your server port (3000).
Webhook Not Returning 200 OK: Check server logs (server.js output) for errors if Vonage retries webhooks. Ensure quick responses.
Messages API Not Default: Re-verify Messages API is the default SMS setting in the Vonage Dashboard (API Settings) if encountering unexpected issues.
Delivery Receipt (DLR) Limitations: DLRs aren't guaranteed by all carriers. submitted confirms handoff to the carrier.
Invalid private.key: Ensure the private.key file matches the VONAGE_APPLICATION_ID and its content is correct.
Number Formatting Errors: Use E.164 format (+1...) for phone numbers.

12. Deployment and CI/CD

Beyond ngrok: Deploy server.js to a hosting provider (Heroku, AWS, Google Cloud, etc.).
Environment Variables: Configure production environment variables securely via your host. Do not deploy the .env file. Upload private.key securely or store its content in an environment variable (handle newlines carefully).

Process Management: Use pm2 to run your Node.js app:

npm install pm2 -g # Install globally
pm2 start server.js --name vonage-webhooks

CI/CD Pipeline: Set up automated testing, building, and deployment (GitHub Actions, GitLab CI, Jenkins).
Webhook URLs: Update Vonage Application webhook URLs to your production HTTPS endpoint.
Rollback: Have a plan to revert deployments if issues arise.

13. Verification and Testing

1. Start the Services:

Run ngrok http 3000 and note the Forwarding URL.
Ensure Vonage Application webhook URLs use the current ngrok URL.
Start the webhook server: node server.js.

2. Test Sending SMS:

Open another terminal.
Run: node send-sms.js.
Expected:
- Script logs SMS Sent Successfully! Message UUID: <uuid>.
- TO_NUMBER receives the SMS.
- server.js logs a "Delivery Status Update" (initially submitted, then potentially delivered).

3. Test Receiving Inbound SMS:

Send an SMS to your VONAGE_NUMBER.
Expected:
- server.js logs an "Inbound SMS Received" entry.
- Check ngrok web interface (http://127.0.0.1:4040) for request details.

4. Test Error Cases (Conceptual):

Invalid Number: Change TO_NUMBER to an invalid format in send-sms.js, run it, and observe script errors and potential rejected/failed status updates.
Server Down: Stop server.js, send an SMS via send-sms.js. Observe webhook failures in ngrok. Restart server.js to receive queued webhooks.

Verification Checklist:

Dependencies installed (npm install).
.env populated correctly.
private.key file present and correct path in .env.
Vonage Application created, Messages enabled.
Webhook URLs point to correct ngrok/production URL + paths.
Vonage number linked to Application.
ngrok running, forwarding correctly.
server.js running without errors.
node send-sms.js sends SMS successfully.
server.js logs delivery status.
Sending SMS to VONAGE_NUMBER logs inbound message in server.js.
Webhook endpoints return 200 OK.

You now have a solid foundation for sending SMS messages and handling crucial delivery status and inbound message callbacks using Node.js, Express, and the Vonage Messages API. Remember to adapt the logging, error handling, security measures (especially webhook signature verification), and data storage aspects to fit the specific needs of your production application.