At a glance

Numbrrs gives you UK mobile numbers that receive SMS and voice calls, and pushes them to whatever you actually want to use them with — your email, your CRM, your own application, or just the Numbrrs inbox.

A few of the things our customers use Numbrrs for:

  • A dedicated number for sign-up codes and 2FA messages, kept separate from your personal phone.
  • Alerts from suppliers and platforms (your hosting bill, your alarm system, your bank), routed straight into a shared inbox or Slack channel.
  • A number on your shop window that automatically forwards customer messages to whoever's on duty.
  • Voicemail-to-text on a business number, delivered to the right person by transcription.

You can run all of this from the dashboard at app.numbrrs.com, or pull the same data through our API.

Getting started

1

Sign in or create an account

Sign in with an email and password, or use your Google, Microsoft, or GitHub account. New here? Just hit Sign up on the login page — accounts are free to create. You only pay when you order a number.

2

Add a phone number

In Numbers → Add Numbers, choose how often you want to be billed:

  • Monthly for short-term use
  • Quarterly if you'd rather pay less often
  • Annual for the lowest per-month rate

Checkout is handled by Stripe. Your number is provisioned within a few seconds of successful payment.

3

Decide where messages should go

By default, everything goes into your Numbrrs inbox. If you'd like incoming messages copied somewhere else (an email address, your own server), set up a forwarding rule. See Forwarding below.

That's it — you're live.

Your inbox

Everything that lands on one of your numbers shows up under Messages. The inbox is paginated, searchable, and filterable by number, direction, or status.

A couple of small touches worth knowing about:

  • Unread badges — new messages are bold until you open them. Bulk-mark as read from the toolbar.
  • Tags on each row:
    • Unverified means the sender wasn't on your allow list (see Sender lists below). The message is still saved so you can review it.
    • Blocked means the sender matched a deny list entry. Same idea — saved, not forwarded.

Voice calls

Now live. The first phase of voice is generally available on every voice-enabled Numbrrs number — inbound call answering with automatic transcription. Outbound dialling and IVR are on the roadmap.

When a voice call comes in on a voice-enabled number, we save:

  • The caller's number
  • The duration of the call
  • An automatic transcription of what was said
  • A link to the audio recording

You can read or listen back any time from Voice in the sidebar. Voice events can be forwarded to email or a webhook the same way SMS can — see below.

Forwarding

The Forwarding section is split into four tabs:

  • Rules — what gets sent where
  • Sender lists — who's allowed to trigger forwarding
  • History — every delivery attempt for the last 30 days
  • Webhook signing — set up signature verification on your endpoints

Rules

A rule says: "for messages on this number (or all my numbers), matching these senders, on this channel, send to this destination."

When you add a rule you choose:

  • Phone number — apply to one specific number, or all of them.
  • Channel — SMS, Voice, or both. (Voice only appears if your account is voice-enabled.)
  • Destination type — email or webhook URL.
  • Sender match — leave as any sender, or narrow it:
    • Exact — the full sender, e.g. +447123456789 or AcmeBank.
    • Starts with — anything with a given prefix, e.g. +44 for UK senders.
    • Wildcard — a pattern using * as the placeholder, e.g. Bank* matches BankIRL and BankNotice.

Matching is case-insensitive. We deliberately don't support regular expressions — they're too easy to get wrong on a hot path.

Limits. You can have up to 5 forwarding rules per channel — five for SMS and five for voice. A rule on both counts against both budgets.

Sender lists

Forwarding rules answer "where does this go". Sender lists answer the question before that: "should this get forwarded at all?"

You configure two kinds of entries:

  • Allow — once you've added any allow entries, only senders matching one of them get forwarded. Everyone else gets the Unverified tag in your inbox.
  • Deny — senders matching a deny entry are blocked, regardless of any allow entries.

The matchers are the same as on forwarding rules: exact, starts-with, or wildcard. You can have up to 50 entries per channel.

Voice deny entries take effect at the call signalling layer. A blocked voice call is rejected before your number rings — there's no transcription, no recording, and no chance for the caller to leave a message. The blocked attempt still shows in your dashboard so you have a record of it.

Allow-mode voice lists also block calls from withheld or anonymous CLI by default (because they can't be on an allow list). If you'd rather anonymous callers ring through, use a deny-only list instead.

History

Every outbound forwarding attempt — email or webhook — is logged for 30 days. The History tab shows the destination, result, HTTP status (for webhooks), latency, and click-through to the captured request and response bodies.

This is the page to open first when something downstream isn't receiving what you expected.

Webhook signing

If you forward to webhook URLs, you can verify every request really came from us — not from someone who guessed your endpoint.

When signing is set up, every webhook we send carries two headers:

  • X-Numbrrs-Signature: sha256=<hex>
  • X-Numbrrs-Timestamp: <unix-seconds>

The signature is an HMAC-SHA256 over <timestamp>.<raw-body>. Verify on your side by recomputing it with your signing secret, and reject anything where the signature doesn't match or the timestamp is more than ~5 minutes old (a small replay-protection window).

Get started under Forwarding → Webhook signing:

  1. Click Generate signing secret.
  2. Save the value somewhere safe — we show it once and can't show it again.
  3. Add it to your webhook receiver and verify against it.

Copy-paste Node and Python verification samples are below in the Guides section.

Cancelling a number

Click Cancel on any number row. Your number keeps working until the end of your current paid billing period — no further charges, and the row picks up a Canceling badge with the end date.

Changed your mind? Click Undo cancel any time before that end date. Your subscription resumes on its original schedule, with no double-charge and no break in service.

After the period ends, the number is released back to our network supplier and may be reassigned to other customers. We can't reserve a released number for you and we can't guarantee specific numbers will be available again.

Need to cancel and release a number immediately (a fraud or abuse case, say)? Use the Cancel immediately option in the Stripe billing portal — that ends the subscription and releases the number on the spot.

See Terms of Service §5 for the legal wording around cancellation.

Security

Under Security you can:

  • Add passkeys — Touch ID, Face ID, Windows Hello, hardware keys. Faster than passwords and harder to phish.
  • Set up a TOTP authenticator — 1Password, Google Authenticator, Authy, Bitwarden, anything that supports the standard.
  • Save backup codes for when you don't have your authenticator with you.

With any second factor configured, signing in needs your password plus either a passkey, a TOTP code, or a backup code.

API access

Anything you can do in the dashboard is available over our API:

  • Read messages and voice calls
  • Configure forwarding rules, sender lists, signing secrets
  • Inspect forwarding history

Head to API Docs in the sidebar for the quick start, full endpoint reference, webhook payload shapes, and copy-paste signature verification snippets.

A key created in API Keys is shown once at creation — copy it immediately, save it in your secrets manager, and use it in an Authorization: ApiKey <key> header on each request. Keys expire after 90 days by default; rotate when prompted.

Authenticated request
bash
curl https://sms.numbrrs.com/api/v1/messages \
  -H "Authorization: ApiKey $NUMBRRS_API_KEY"
FAQ

Frequently asked questions

The questions we get most often. If yours isn't here, email [email protected] — we read everything.

How long does it take to get a number?
Numbers are provisioned within a few seconds of successful Stripe checkout. There is no manual approval step.
Can I receive 2FA codes on a Numbrrs number?
Yes. Inbound SMS, including 2FA and OTP codes, lands in your Numbrrs inbox and can be forwarded to email or a webhook via a forwarding rule. Use a dedicated Numbrrs number per service so codes go where you need them, not to a personal phone.
Does Numbrrs send outbound SMS?
Numbrrs is inbound-only today. We provide UK mobile numbers for receiving SMS and voice calls. Outbound sending is not currently part of the platform.
How many forwarding rules can I have?
Up to five per channel — five for SMS and five for voice. A rule that applies to both channels counts against both budgets.
What's the difference between allow and deny sender lists?
Allow lists are positive: once you have any allow entries, only senders matching one of them get forwarded. Everyone else gets the Unverified tag in your inbox. Deny lists are negative: matching senders are blocked regardless. Deny takes precedence over allow.
How do I verify webhook signatures?
Every webhook carries an X-Numbrrs-Signature: sha256=<hex> header and an X-Numbrrs-Timestamp header. Recompute HMAC-SHA256 over <timestamp>.<raw-body> with your signing secret and compare. Reject anything where the signature does not match or the timestamp is more than ~5 minutes old. See the API access section for code samples.
How long is forwarding history kept?
30 days. Every outbound delivery attempt — email or webhook — appears in Forwarding → History with destination, result, HTTP status, latency, and a click-through to the captured request and response bodies.
What happens to my number when I cancel?
Your number keeps working until the end of your current paid billing period. After that, it is released back to our network supplier and may be reassigned to other customers. See the Cancelling a number section for the full flow.
Can I get my number back after cancellation?
Once a number is released to the supplier pool, it may be reassigned. We cannot reserve a released number for you and cannot guarantee a specific number will be available again should you wish to repurchase it.
What two-factor methods are supported on sign-in?
Passkeys (Touch ID, Face ID, Windows Hello, hardware keys), TOTP authenticator apps (1Password, Google Authenticator, Authy, Bitwarden, anything that supports the standard), and backup codes for when you do not have your authenticator with you.
How long do API keys live?
Keys expire after 90 days by default. Your dashboard prompts you to rotate when expiry approaches. New keys are shown once at creation — copy immediately and store in your secrets manager.
What voice features are available today?
The first phase of voice is generally available on every voice-enabled Numbrrs number: inbound call answering with automatic transcription. Calls are auto-answered, missed calls trigger a notification, and call transcriptions can be forwarded to email or a webhook the same way SMS is. Outbound dialling and IVR are on the roadmap.
Guides

Recipes for common tasks

Short, copy-pasteable walkthroughs for the things customers ask us about most.

Receive SMS 2FA codes by email

Route codes from a specific sender straight into your inbox — useful for shared bank, hosting, or CI accounts.

  1. Add a Numbrrs number (or pick an existing one).
  2. Forwarding → Sender lists → add the service's sender ID to the Allow list. Match by exact (MyBank) or wildcard (Bank*).
  3. Forwarding → Rules → add a rule for that number, channel SMS, destination email, type your address.
  4. Trigger a test SMS from the service — the code should land in your email within seconds.
Result: Codes from that sender land in your inbox. Codes from anyone else stay tagged Unverified until you decide what to do with them.

Wire your number to n8n, Make, or Zapier

Trigger an automation every time someone texts your Numbrrs number.

  1. In n8n / Make / Zapier, create a webhook trigger and copy its public URL.
  2. Numbrrs → Forwarding → Rules → add a rule for your number, channel SMS, destination webhook, paste the URL.
  3. Numbrrs → Forwarding → Webhook signing → Generate signing secret. Save the value — we show it once.
  4. In your automation, verify X-Numbrrs-Signature on each request (HMAC-SHA256 of <timestamp>.<raw-body>) using the signing secret.
  5. Send a test SMS — the workflow fires immediately with the inbound payload.
Result: Every inbound SMS triggers your workflow with a signed, verified payload. Developing locally? Use a tunnel like ngrok or cloudflared to give the webhook a public URL.

Block nuisance senders

Stop unwanted SMS or voice calls before they reach your inbox or ring through.

  1. Forwarding → Sender lists → add a Deny entry. Match by exact, starts-with, or wildcard.
  2. For SMS: blocked messages are still saved with a Blocked tag — not forwarded.
  3. For voice: deny entries take effect at the signalling layer. The blocked caller never gets through, cannot leave voicemail, and the attempt is logged so you have a record.
Result: Deny entries take precedence over allow entries — if a sender appears on both lists, they are blocked.

Verify webhook signatures (Node &amp; Python)

Copy-paste signature verification so you can confirm a webhook came from us, not someone who guessed the endpoint.

Verify Numbrrs webhook
node
import crypto from 'node:crypto';

const MAX_AGE_SECONDS = 5 * 60;

export function verifyNumbrrsWebhook(req, secret) {
  const sig = req.headers['x-numbrrs-signature'];
  const ts  = req.headers['x-numbrrs-timestamp'];
  if (!sig || !ts) return false;

  // Reject anything older than 5 minutes (replay protection)
  if (Math.abs(Date.now() / 1000 - Number(ts)) > MAX_AGE_SECONDS) return false;

  const expected = crypto
    .createHmac('sha256', secret)
    .update(`${ts}.${req.rawBody}`)
    .digest('hex');

  const provided = sig.replace(/^sha256=/, '');
  return crypto.timingSafeEqual(
    Buffer.from(expected, 'hex'),
    Buffer.from(provided, 'hex'),
  );
}
Verify Numbrrs webhook
python
import hmac
import hashlib
import time

MAX_AGE_SECONDS = 5 * 60

def verify_numbrrs_webhook(headers, raw_body: bytes, secret: str) -> bool:
    sig = headers.get('x-numbrrs-signature', '')
    ts  = headers.get('x-numbrrs-timestamp', '')
    if not sig or not ts:
        return False

    # Reject anything older than 5 minutes (replay protection)
    if abs(time.time() - int(ts)) > MAX_AGE_SECONDS:
        return False

    signed = f"{ts}.".encode() + raw_body
    expected = hmac.new(secret.encode(), signed, hashlib.sha256).hexdigest()
    provided = sig.removeprefix('sha256=')

    return hmac.compare_digest(expected, provided)
Result: Both samples include the 5-minute timestamp freshness check and use constant-time comparison to avoid timing attacks.

Cancel a number (and what to expect if you want it back)

The full cancellation flow, including the supplier-side gotcha.

  1. Numbers → row for your number → Cancel. The row picks up a Canceling badge with the scheduled end date.
  2. Your number keeps working — receiving SMS and calls, running forwarding rules — until the end of the current billing period. No further charges.
  3. Changed your mind? Click Undo cancel any time before that end date. No double-charge, no break in service.
  4. After the period ends, the number is released to our network supplier's pool and may be reassigned to other customers.
Result: We cannot reserve a released number for you. If you might want the number back, undo before the end date — once released, re-purchasing the same number is not guaranteed. Need to release a number immediately (fraud or abuse)? Use Cancel immediately in the Stripe billing portal — that releases it on the spot, with no undo.

Got stuck?

Email [email protected] — we read everything and reply the same business day.