"Affordable encrypted SIM service with strong privacy focus. Messages stay secure with personal key encryption."
Jack KYCnot.me
Crypton.sh Developer API review: clean REST, real encryption, no surcharge
Most SMS APIs we evaluate in 2026 are either expensive carrier APIs (Twilio, Sinch) or budget aggregators with shaky deliverability. Crypton.sh slots between them: a clean REST API at no extra cost, paired with the same end-to-end encrypted inbox model that powers the consumer dashboard. We tested it for inbound delivery, outbound sending and webhook reliability.
Our rating
4.5 / 5
Editorial
Verdict: A small but well-shaped API. Not as feature-broad as Twilio, but it covers SMS in/out, listing numbers, configuring webhooks, and reading delivery status — and the encryption story is genuinely better than anything in the mainstream carrier API space.
What it is
The Crypton.sh API is a RESTful HTTP API that wraps the same SMS infrastructure powering the consumer dashboard. Every rented number — physical or virtual — has API access enabled by default. You authenticate with a per-account token, hit a small set of endpoints, and your application can send messages, read encrypted inbound messages, list rented numbers and configure webhook URLs.
Crucially, the encryption invariant is preserved over the API. Inbound messages are delivered to you as ciphertext encrypted under your key; you decrypt locally. That means a compromised API consumer still cannot leak plaintext beyond the key it holds, and Crypton.sh's server cannot read message content at any stage.
What you can do with it
- Send outgoing SMS from any rented number, with delivery callbacks.
- List inbound messages for a number, with pagination, encrypted at rest.
- Receive webhook pushes on every inbound message so you don't have to poll.
- List and manage numbers attached to your account.
- Query account balance, plan information and message status.
The API surface is intentionally small. Crypton.sh does not try to ship every Twilio feature — it ships the ones developers ask for most.
Authentication and encryption flow
Authentication uses a bearer token issued from the dashboard. You can rotate tokens at any time. Tokens are scoped per-account, not per-number, so one token can drive multiple numbers in the same account.
The encryption flow is the one part that's slightly novel for developers used to Twilio. Because incoming messages are stored encrypted on the server, the API returns ciphertext for inbound messages and your application decrypts it with the key derived from your password. The open-source encryption module makes this routine to implement, but you can't entirely treat the API as a transparent passthrough — you need to handle keys on your side. For most developers this is a feature; for some it's a small learning curve.
Pricing
| Item | Price | Notes |
|---|---|---|
| API access | €0 | Included with any number, no surcharge |
| Inbound SMS | €0 | Included with the number rental |
| Outbound SMS | Pay per message | Same rate as the dashboard |
Pricing is the same as the consumer dashboard. You don't pay extra to access SMS via API.
Use cases that fit Crypton.sh API
- Privacy-respecting products that want a real SMS channel without forcing users into Twilio's KYC layer.
- Automations and personal scripts that need to receive 2FA or notification SMS programmatically — for example, a self-hosted notification gateway.
- SMS-driven workflows (alerts, monitoring) where the developer values an encrypted inbox over compliance bells and whistles.
- API testing fixtures for products that integrate with SMS verification — Crypton.sh numbers are real numbers and good for end-to-end tests.
Pros and cons
What we like
- Free with any number — no surcharge on top of the rental.
- End-to-end encryption preserved over the API.
- Webhook delivery, not just polling.
- Open-source encryption module makes ciphertext handling routine.
- Small, predictable endpoint surface — quick to onboard.
What could be better
- No voice API.
- No MMS support.
- Not aimed at high-volume US 10DLC marketing SMS — for that, use a carrier API.
- Key management is on you, by design. There is a small learning curve.
What developers and users say
"Crypton is a solid and reliable provider of mobile numbers for SMS verifications."
Jon Trustpilot
"Great service when everything works as intended. They were very helpful and added a feature to resolve my issue in less than a week."
Customer Trustpilot
Frequently asked questions
Does Crypton.sh have a public API?
Yes — a RESTful API for sending and receiving SMS, listing numbers, managing webhooks, and reading delivery status. Docs are published on crypton.sh.
Does the API cost extra?
No. API access is included with any number at no surcharge.
How are incoming messages delivered?
Either polled via the API, or pushed to a webhook URL you configure. Both deliver ciphertext; your code decrypts.
Is the API rate-limited?
Yes, with limits documented in the developer reference. Standard accounts cover typical use; bespoke limits are available on request.
Does it support MMS or voice?
Not at this time. The API is SMS-focused.
How do I authenticate?
Bearer token issued from the dashboard. Tokens are rotatable and scoped per-account.
· Written by Jonas Lindqvist, editor of Cryptonreviews. Methodology: editorial standards. Outbound links to crypton.sh carry rel="nofollow sponsored".