OTP API Overview
The OTP (One-Time Password) API enables you to implement secure multi-channel verification for user authentication, phone/email verification, and two-factor authentication (2FA) workflows.
Why Use the OTP API?โ
- ๐ Multi-Channel Support - Send OTPs via Email, SMS, and WhatsApp
- โก Fast & Secure - Industry-standard bcrypt hashing with configurable expiry
- ๐ฏ Flexible Verification - Verify single or multiple channels in one session
- ๐งช Sandbox Mode - Test your integration without sending real messages
- ๐ Session Management - Built-in rate limiting and attempt tracking
- ๐ Auto-Contact Creation - Optionally add verified contacts to your database
- โฑ๏ธ Configurable - Set custom OTP length, expiry, and attempt limits
Core Conceptsโ
OTP Sessionโ
An OTP session is created when you send an OTP. It manages:
- Multiple Channels: Send OTP to email, SMS, and WhatsApp simultaneously
- Verification State: Track which channels have been verified
- Security: Rate limiting, attempt tracking, and automatic expiration
- Metadata: Store custom data for your application logic
Channelsโ
| Channel | Description | Use Case |
|---|---|---|
| Send OTP via email | Email verification, account recovery | |
| SMS | Send OTP via SMS | Phone verification, 2FA |
| Send OTP via WhatsApp | Modern 2FA, international users |
Verification Flowโ
- Send OTP - Create session and send OTP to one or more channels
- User Receives - OTP delivered via Email, SMS, or WhatsApp
- User Submits - User enters OTP code in your application
- Verify OTP - Validate the code and mark channel(s) as verified
- Session Complete - Use verified session data in your application
Key Featuresโ
Multi-Channel Verificationโ
Send OTPs to multiple channels in a single request:
{
"channels": ["email", "sms", "whatsapp"],
"recipients": {
"email": "user@example.com",
"sms": "+1234567890",
"whatsapp": "+1234567890"
}
}
Progressive Verification (Verify Separately)โ
Powerful Feature: Verify different channels at different times!
- Send OTP to multiple channels (email + SMS + WhatsApp)
- User verifies WhatsApp first โ Session becomes
PARTIAL - Later, user verifies email โ Session progresses
- Each channel maintains its own verified state
- All within the same expiry window (e.g., 10 minutes)
Example:
1. Send to Email + SMS (10:00 AM)
2. User verifies SMS (10:03 AM) โ
3. User verifies Email (10:07 AM) โ
4. Session fully verified before expiry (10:10 AM)
Flexible Verification Optionsโ
Choose verification strategy based on your needs:
- All Channels Required: User must verify all channels (progressive or simultaneous)
- Any Channel: User can verify any one channel
- Specific Channels: User must verify specific channels
Security Featuresโ
- Bcrypt Hashing: OTPs are hashed before storage
- Configurable Expiry: Default 10 minutes, customizable per request
- Attempt Limiting: Configurable max attempts (default 3)
- Rate Limiting: Prevent OTP spam and abuse
- Auto-Expiration: Sessions automatically expire after time limit
Sandbox Modeโ
Test your integration without sending real messages:
{
"sandbox_mode": true
}
In sandbox mode:
- OTPs are returned in the API response
- No messages are actually sent
- No wallet charges are applied
- Sessions are marked as sandbox for filtering
API Endpointsโ
| Endpoint | Method | Description |
|---|---|---|
/api/v1/otp/send | POST | Send OTP to one or more channels |
/api/v1/otp/verify | POST | Verify OTP code for a session |
/api/v1/otp/resend | POST | Resend OTP for an existing session |
/api/v1/otp/sessions | GET | List OTP sessions (with filtering) |
Common Use Casesโ
1. Email Verificationโ
# Send OTP to email
POST /api/v1/otp/send
{
"channels": ["email"],
"recipients": {
"email": "newuser@example.com"
},
"metadata": {
"purpose": "email_verification",
"user_id": "user_12345"
}
}
# Verify OTP
POST /api/v1/otp/verify
{
"token": "eyJhbGc...",
"otps": {
"email": "123456"
}
}
2. Phone Verification (SMS + WhatsApp)โ
# Send OTP to both SMS and WhatsApp
POST /api/v1/otp/send
{
"channels": ["sms", "whatsapp"],
"recipients": {
"sms": "+1234567890",
"whatsapp": "+1234567890"
},
"metadata": {
"purpose": "phone_verification"
}
}
# User can verify via either channel
POST /api/v1/otp/verify
{
"token": "eyJhbGc...",
"otps": {
"whatsapp": "654321"
}
}
3. Two-Factor Authentication (2FA)โ
# Send OTP for 2FA
POST /api/v1/otp/send
{
"channels": ["sms"],
"recipients": {
"sms": "+1234567890"
},
"config": {
"otp_length": 6,
"expiry_minutes": 5,
"max_attempts": 3
},
"metadata": {
"purpose": "2fa_login",
"user_id": "user_12345"
}
}
Configuration Optionsโ
OTP Configurationโ
| Option | Type | Default | Description |
|---|---|---|---|
otp_length | number | 6 | Length of OTP code (4-8 digits) |
expiry_minutes | number | 10 | Session expiry time in minutes |
max_attempts | number | 3 | Maximum verification attempts |
Session Metadataโ
Store custom data with each session:
{
"metadata": {
"user_id": "user_12345",
"purpose": "email_verification",
"ip_address": "192.168.1.1",
"user_agent": "Mozilla/5.0..."
}
}
Best Practicesโ
1. Securityโ
- Never expose OTPs: Don't log or store OTPs in plain text
- Use HTTPS: Always use secure connections
- Implement rate limiting: Limit OTP requests per user/IP
- Short expiry times: Use 5-10 minutes for sensitive operations
- Monitor attempts: Block users after suspicious activity
2. User Experienceโ
- Clear instructions: Tell users where to find the OTP
- Resend option: Allow users to request a new OTP
- Multi-channel fallback: Offer alternative channels if one fails
- Auto-fill support: Use standard formats for OTP input
- Clear error messages: Help users understand what went wrong
3. Integrationโ
- Use metadata: Store context for later retrieval
- Handle errors gracefully: Provide helpful error messages
- Test with sandbox: Use sandbox mode during development
- Auto-contact creation: Enable
add_contactfor verified users - Session management: Clean up expired sessions regularly
Error Handlingโ
Common error scenarios:
| Error | Cause | Solution |
|---|---|---|
Invalid OTP | Wrong code entered | Allow retry within attempt limit |
OTP expired | Session timed out | Send new OTP |
Max attempts exceeded | Too many failed attempts | Lock session, send new OTP |
Insufficient balance | Not enough wallet credits | Add credits to wallet |
Invalid recipient | Malformed email/phone | Validate input before sending |
Rate Limitsโ
To prevent abuse, OTP endpoints have rate limits:
- Per User: 5 OTP sends per 5 minutes
- Per Session: 3 verification attempts
- Per IP: 20 OTP sends per hour
Next Stepsโ
- Send OTP - Learn how to send OTPs
- Verify OTP - Learn how to verify OTPs
- Authentication - Set up API authentication