Anton, hello!
I noticed one peculiarity when sending SMS via API.
Namely, some of the required directives are u (username) and h (api token). It so happens that even if a person knows the API token, but at the same time does not know the username, he will be able to generate and send SMS. In a word, there is no link between the username and the API-token in the system. It seems to me it would be great to write logic that checks for the presence of two directives and their binding to each other. This will give additional security and reliability to the system.
Respectfully,
Jamshid Tursunov