Why Build OTP from Scratch?

Takes Weeks to Build

OTP generation, rate limiting, expiration logic, multi-channel delivery, verification endpoints—it's a lot of code.

Security is Hard

You need rate limiting, brute-force protection, secure storage, and audit logs. One mistake = security breach.

Ongoing Maintenance

SMS providers change APIs, spam filters evolve, regulations update. You have to maintain it forever.

Not Your Core Product

You should be building features that make you money, not reinventing authentication infrastructure.

The Sendmator OTP System

A complete OTP/2FA system with generation, delivery, and verification—all built-in. Just call two API endpoints.

Generate & send OTP in one API call

Automatic rate limiting & security

Multi-channel: Email, SMS, WhatsApp

Configurable length, expiry, retries

1

Generate & Send OTP

Call one API endpoint. Sendmator generates secure OTPs and sends them via your chosen channel(s).

// Send multi-channel OTP
const response = await fetch('https://api.sendmator.com/api/v1/otp/send', {
  method: 'POST',
  headers: {
    'X-API-Key': 'sk_live_your_api_key',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    channels: ['email', 'sms'], // Send to multiple channels
    recipients: {
      email: 'user@example.com',
      sms: '+1234567890'
    },
    sandbox_mode: true // Use true for testing
  })
});

const { token } = await response.json();
// Save token for verification step

2

User Enters OTP

Show an input field in your app. User receives the OTP and enters it.

Example SMS received:

Your YourApp verification code:

473829

Valid for 5 minutes. Don't share this code.

3

Verify OTP

Send the OTPs entered by user for verification. Get instant true/false response.

// User submits OTPs from email and SMS
const verifyResponse = await fetch('https://api.sendmator.com/api/v1/otp/verify', {
  method: 'POST',
  headers: {
    'X-API-Key': 'sk_live_your_api_key',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    token: token, // from step 1
    otps: {
      email: '123456',  // OTP from email
      sms: '654321'     // OTP from SMS
    }
  })
});

const { verified, message } = await verifyResponse.json();

if (verified) {
  // Success! All OTPs matched - log user in
  loginUser(user);
} else {
  // Invalid or expired OTPs
  showError(message || 'Invalid code. Please try again.');
}

Built-in Security Features

Automatic Expiration

OTPs expire after your specified time (1-30 minutes). Old codes can't be reused.

Rate Limiting

Max 1-10 verification attempts per session. Prevents brute-force attacks.

Resend Cooldown

Minimum 30 second wait between resend requests. Prevents spam and abuse.

Usage Analytics

Track verification rates, failed attempts, and channel performance.

Cryptographically Secure

OTPs generated using cryptographically secure random number generation.

Sandbox Mode

Test with fixed OTPs (123456) in development without sending real messages.

Common OTP Use Cases

Passwordless Login

Let users log in with just their phone number or email—no password needed.

Two-Factor Authentication

Add 2FA to existing password login for extra security on sensitive accounts.

Phone Verification

Verify user phone numbers during signup or profile updates to prevent fake accounts.

Payment Confirmation

Require OTP before processing high-value transactions or withdrawals.

Password Reset

Send OTP to verify identity before allowing password reset—prevents account takeovers.

Sensitive Actions

Require re-verification for account deletion, API key generation, or settings changes.

Transparent OTP Pricing

Email OTP

$0.0025

Per verification

SMS OTP

$0.015

Per verification (US)

WhatsApp OTP

$0.006