eSIM Ahora
BlogBuy
← Back to blog

SM-DP+ Explained in 2026 — What It Is and Why Your eSIM Needs It

SM-DP+ in 2026: the server that activates your eSIM in 30 seconds. How the download flow works, differences from LPA, and why choosing a reliable provider

·11 min read·by eSIM Ahora Team

When you install an eSIM, your phone scans a QR code and in 30 seconds you have active service. Behind that magic is SM-DP+ (Subscription Manager Data Preparation Plus), the server that manages the download and activation of eSIM profiles according to the GSMA SGP.22 standard. At eSIM Ahora we use SM-DP+ to deliver profiles in more than 160 countries with instant activation, without needing to swap a physical SIM or visit a store.

This post explains what SM-DP+ is, how the activation flow works, how it differs from LPA (Local Profile Assistant), and why choosing a provider with reliable SM-DP+ infrastructure makes the difference between getting online when you land or being without data for hours.

What is SM-DP+ and why it exists

SM-DP+ is a remote server that stores and prepares eSIM profiles for download. Before eSIM, physical cards (classic SIMs) came pre-loaded from the factory with operator credentials. With eSIM, the eUICC chip in your device starts empty; the profile downloads on demand from an SM-DP+ after purchase.

The GSMA SGP.22 standard (published in 2016, updated in 2023) defines three actors:

  1. eUICC: the eSIM chip inside your device (iPhone, Pixel, Galaxy, iPad).
  2. LPA (Local Profile Assistant): software on the operating system (iOS, Android) that manages profile download and activation. It's the interface between you and the eUICC.
  3. SM-DP+: the eSIM provider's server (us, or an MNO like AT&T) that generates the profile and sends it encrypted to the eUICC.

When you scan the eSIM Ahora QR code, the LPA on your iPhone or Android reads the SM-DP+ address (format 1$smdp.esimahora.com$MATCHING_ID) and connects to download the profile. The SM-DP+ verifies the Matching ID (unique activation code), encrypts the profile with the eUICC's keys, and transmits it. The eUICC installs and activates the profile. All of this happens in seconds, with no human intervention.

Technical flow: from purchase to activation

Step 1: Purchase and profile generation

You buy a 3 GB plan for Mexico at eSIM Ahora. The backend system requests a profile from the SM-DP+ (operated by us or by a provisioning partner like BICS or Tango Telecom). The SM-DP+ generates the profile with:

  • IMSI (International Mobile Subscriber Identity): identifies the subscriber on the mobile network. For example, a Telcel Mexico profile might have IMSI 334-020-XXXXXXXXX (334 = Mexico, 020 = Telcel).
  • Ki (Authentication Key): 128-bit cryptographic key that authenticates the line to the network.
  • OPc: operator-specific key derived from the Ki.
  • APN, PLMN, roaming policies: data access configuration.

The SM-DP+ encrypts the profile with a transport key negotiated with the eUICC and stores the encrypted package along with a Matching ID (unique alphanumeric code, e.g., LPA:1$smdp.esimahora.com$ABC123DEF456).

Step 2: QR code scan

You receive the QR code by email or in your account. The QR encodes the LPA string with three components:

LPA:1$smdp.esimahora.com$ABC123DEF456
  • LPA:1: prefix identifying an SGP.22 activation code.
  • smdp.esimahora.com: SM-DP+ address (domain or IP).
  • ABC123DEF456: Matching ID identifying the specific profile.

You scan the QR with the native camera (iOS) or from Settings > Mobile networks > Add eSIM (Android). The LPA parses the string.

Step 3: Handshake between LPA and SM-DP+

The LPA opens an HTTPS connection to the SM-DP+ (port 443, TLS 1.2 or higher). They exchange certificates:

  • The eUICC presents its EID (eUICC Identifier, 32 digits) and a certificate signed by the manufacturer (Apple, Samsung, Qualcomm).
  • The SM-DP+ validates the certificate against the GSMA CI (Certificate Issuer) trust chain. If the EID is on a blacklist (device reported stolen), it rejects the download.

The SM-DP+ queries its database: does a profile exist with Matching ID ABC123DEF456 and status Released (ready to download)? If yes, it negotiates session keys with the eUICC using the SCP03t protocol (Secure Channel Protocol 03 for transport).

Step 4: Encrypted profile download

The SM-DP+ transmits the encrypted profile in packets (typically 5-20 KB, depending on complexity). The eUICC decrypts, validates the SHA-256 hash, and installs the profile in an empty slot. iOS/Android display the operator name (e.g., "eSIM Ahora MX Telcel") and status "Activating...".

Step 5: Network activation

The eUICC activates the profile. The modem sends a Location Update to the mobile network (e.g., Telcel) with the profile's IMSI. The network queries the operator's HLR/HSS (Home Location Register), verifies that the IMSI exists and has active balance/data, and responds with Location Update Accept. The phone registers 4G/5G signal. The entire process takes 15-45 seconds on networks with fast HLR (Telcel, Movistar Spain), up to 2 minutes on congested networks (some in India, Philippines).

SM-DP+ vs LPA: who does what

Component Location Function
SM-DP+ Remote server of eSIM provider Stores profiles, encrypts, sends to eUICC. Operated by eSIM Ahora or platforms like BICS.
LPA Device operating system (iOS, Android) User interface, scans QR, connects to SM-DP+, downloads profile, installs on eUICC.
eUICC Physical chip inside device Stores up to 5-10 eSIM profiles (physical chip limit), executes network authentication.

The LPA doesn't know your credentials (IMSI, Ki); it only orchestrates the download. The SM-DP+ never sees the decrypted profile content after transmitting (the eUICC decrypts it locally). This design ensures that even if the SM-DP+ is compromised, attackers cannot clone active SIMs (they'd need the eUICC's keys, protected by hardware).

Why SM-DP+ quality matters

Response time

A slow SM-DP+ adds 30-60 seconds to the activation flow. We run SM-DP+ instances on AWS in Frankfurt, São Paulo, and Singapore with <80 ms latency to 95% of our users. If you buy a plan before landing in Cancun and scan the QR when you step off the plane, you have signal before leaving the airport.

Providers with under-dimensioned SM-DP+ (a single server in Virginia for global traffic) generate timeouts during peak hours (Friday evening, high season start). Result: you scan the QR, the LPA hangs on "Contacting server..." for 5 minutes, and you end up using the hotel WiFi to retry.

Availability and redundancy

The GSMA standard doesn't require high availability, but at eSIM Ahora we run SM-DP+ with 99.9% uptime (internal SLA: maximum 43 minutes downtime per month). We use load balancing across 3 instances per region and automatic failover to an alternate region if one fails.

In 2025, a European provider suffered an 8-hour SM-DP+ outage on Christmas Eve due to an expired TLS certificate. Thousands of travelers could not activate eSIMs purchased in advance. The problem: a single SM-DP+ server with no certificate expiration monitoring.

Security and GSMA compliance

The SM-DP+ must comply with GSMA SAS-SM (Security Accreditation Scheme for Subscription Management). This requires:

  • Certificates issued by an authorized GSMA CI (Entrust, DigiCert, GlobalSign).
  • Annual security audits by GSMA auditors.
  • Protection against mass download attacks (rate limiting, CAPTCHA on provisioning APIs).

An unaccredited SM-DP+ can generate profiles, but many eUICCs (especially iPhones) reject connections with untrusted certificates. Result: "Could not activate eSIM" with no detailed error message.

Common SM-DP+-related problems

Error: "Could not contact SM-DP+ server"

Causes:

  1. Corporate firewall or VPN blocking port 443 to the SM-DP+ domain. Solution: disable VPN, connect to home WiFi or your primary SIM's mobile data.
  2. Expired TLS certificate on the SM-DP+. Solution: contact support; the provider must renew the certificate.
  3. Matching ID already used. Each QR code is single-use. Once the eUICC downloads the profile, the SM-DP+ marks the Matching ID as "consumed". If you scan the same QR on another phone, the SM-DP+ responds with error 404 (profile unavailable). Solution: request a new QR code.

Error: "eSIM not compatible with this device"

The device's eUICC won't accept the profile because:

  1. The profile is for an eUICC from another manufacturer. Some SM-DP+ platforms generate profiles optimized for Apple eUICCs; Android with Qualcomm chips may reject them. Solution: verify the provider supports your model.
  2. The LPA version is outdated. iOS <12.1 and Android <9 don't support SGP.22 v2.2. Solution: update your operating system.

Profile downloaded but no signal

The SM-DP+ delivered the profile correctly, but the mobile network doesn't respond. Causes:

  1. Roaming not enabled. In some countries (China, Russia), the local operator blocks roaming of foreign IMSIs by default. We pre-enable roaming in the HLR before releasing the profile, but local networks can change policies without notice.
  2. Incorrect APN. The profile has a generic APN (internet, web.es) but the local operator requires a specific one (internet.telcel.com). Solution: edit the APN in Settings > Mobile data > Mobile data options > Mobile data network (iOS) or Settings > Mobile networks > APN (Android).

How eSIM Ahora verifies SM-DP+ quality

Before contracting an SM-DP+ platform (BICS, Tango Telecom, 1Global), we run tests on 10 device models:

  • iPhone 14 Pro, 15, 15 Pro (Apple eSIM chip).
  • Samsung Galaxy S23, S24 (Samsung eSIM chip).
  • Google Pixel 7, 8 Pro (Qualcomm eSIM chip).
  • Oppo Find X5, Xiaomi 13 (Chinese eUICCs, sometimes with SGP.22 quirks).

We measure:

  1. Download time (target: <30 seconds on 20 Mbps WiFi).
  2. First-attempt success rate (target: >98%).
  3. Compatibility with common VPNs (some LPAs fail if WireGuard is active).

If a platform fails >2% on any metric, we don't use it. In 2024 we dropped a provider because their profiles took 90 seconds to download on Pixel 8 (bug in SCP03t with Qualcomm eUICCs).

SM-DP+ and multi-IMSI: the future

The SGP.22 v3.0 specification (draft 2025, release expected 2027) introduces multi-IMSI profiles: a single eSIM profile with 2-5 IMSIs, each for a different region. Example: you buy a "Global" plan with:

  • Telcel IMSI (Mexico).
  • Movistar IMSI (Spain).
  • AIS IMSI (Thailand).

The eUICC automatically selects the IMSI based on available network. Advantage: no roaming (each country uses a "local" IMSI), avoiding roaming fees that some operators charge internally.

The SM-DP+ must generate multi-IMSI profiles with IMSI selection logic (steering of roaming). This requires more sophisticated HLRs (each IMSI must be provisioned in the corresponding operator's HLR) and coordination between operators.

At eSIM Ahora we plan to launch multi-IMSI profiles in 2027 for the Mexico-USA-Spain corridor (Telcel, AT&T, Movistar IMSIs). The same QR code will give you native coverage in all three countries. To stay updated on the launch, check our USA plans and Spain plans.

Alternatives to SM-DP+: SM-SR (for IoT)

For IoT devices (GPS trackers, smart meters, security cameras), there's SM-SR (Subscription Manager Secure Routing), defined in GSMA SGP.02. SM-SR allows remote profile switching without user intervention (the device has no screen or LPA).

SM-SR is for M2M (machine-to-machine); SM-DP+ is for consumer eSIM (smartphones, tablets, smartwatches). The two standards aren't compatible: a consumer eUICC (SGP.22) won't accept SM-SR commands, and vice versa.

If your Apple Watch uses eSIM, it uses SM-DP+ (the Watch has a consumer eUICC and the iPhone acts as LPA proxy). If you have a Tesla with eSIM for car data, it likely uses SM-SR (profile pre-installed at the factory, updated remotely by Tesla).

FAQ

Can I reuse an SM-DP+ QR code on another device?

No. Each Matching ID is single-use. Once the eUICC downloads the profile, the SM-DP+ marks the Matching ID as "consumed". If you scan the same QR on another phone, the SM-DP+ responds with error 404 (profile unavailable). If you need the profile on another device, contact support to transfer it (involves removing from the original eUICC and generating a new Matching ID).

What happens if the SM-DP+ closes or changes domain?

Once downloaded, the profile is stored on your device's eUICC. The SM-DP+ only intervenes during initial download. If the provider migrates from smdp.old.com to smdp.new.com, your already-installed profiles keep working. Only new QR codes will use the new domain. If the provider shuts down and turns off the SM-DP+, you can't download new profiles, but existing ones stay active until they expire or you run out of data.

Can the SM-DP+ track my location or traffic?

No. The SM-DP+ only sees:

  • Your EID (eSIM chip identifier).
  • The IP from which you connect during download (typically your WiFi or mobile data IP when you scan the QR).
  • Date/time of the download.

Once the profile is installed, data traffic goes through the mobile operator's network (Telcel, Movistar, etc.), not the SM-DP+. The mobile operator can see your location (connected towers) and traffic metadata (visited domains, data volume). The SM-DP+ doesn't participate after activation; only during setup.

esimtroubleshootinginstallationtravelcomparison

Related

Popular destinations

Buy eSIM directly, activation in 30 seconds on landing.

🇹🇷Turkey🇺🇸USA🇯🇵Japan🇹🇭Thailand🇲🇽Mexico🇲🇦Morocco🇮🇹Italy🇫🇷France🇵🇹Portugal🇬🇧UK🇦🇪UAE🇪🇺Europe 30+