Skip to main content
The Zeckta OTP Service enables applications to securely generate, deliver, and verify one-time passwords (OTPs) over SMS. Common use cases include:
  • User registration
  • Login verification
  • Multi-factor authentication (MFA)
  • Password recovery
  • Transaction authorization
  • Device verification
  • Email verification
  • KYC verification

How It Works

The OTP verification flow consists of two steps:
  1. Request an OTP
  2. Verify an OTP
Application

Request OTP

SMS Delivered

User Receives Code

Verify OTP

Approved / Rejected

Core Endpoints

ActionMethodEndpoint
Request OTPPOST/v1/messaging/otp/request
Verify OTPPOST/v1/messaging/otp/verify

OTP Lifecycle

REQUESTED

APPROVED
Possible terminal outcomes: 
INVALID
EXPIRED
ALREADY_USED
MAX_ATTEMPTS_REACHED
NOT_FOUND

Session-Based Verification

Every OTP request generates a unique session identifier. Example: 
{
  "sessionId": "feab6011-2469-4804-ace5-ee9dcb5b9ef2",
  "expiresInSeconds": 300,
  "attemptsLeft": 5,
  "reused": false
}
The sessionId must be supplied when verifying an OTP.

Security Features

Expiration

OTPs automatically expire after a configured validity period.

Attempt Limits

Verification attempts are limited to reduce brute-force attacks.

Replay Protection

Successfully verified OTPs cannot be reused.

Workspace Isolation

OTP sessions are isolated per workspace.

Supported OTP Purposes

OTP requests must be associated with a business purpose. Supported values: 
LOGIN
PASSWORD_RESET
TRANSACTION
DEVICE_VERIFICATION
EMAIL_VERIFICATION
ACCOUNT_RECOVERY
KYC_VERIFICATION
These values help enforce business intent and prevent abuse.

OTP Reuse

Zeckta can reuse an active OTP session when a valid OTP already exists for the same destination and purpose. This helps reduce unnecessary SMS traffic and improves user experience. When an existing OTP is reused: 
{
  "sessionId": "feab6011-2469-4804-ace5-ee9dcb5b9ef2",
  "expiresInSeconds": 143,
  "attemptsLeft": 5,
  "reused": true
}
No additional SMS is sent.
When OTP reuse occurs, clients should continue using the existing session identifier and OTP code until the session expires.

OTP Expiration

OTPs remain valid for a limited period. Default behavior: 
TTL: 5 minutes
Maximum Attempts: 5
OTP Length: 6 digits
Applications should verify OTPs immediately after delivery.

Verification Outcomes

Verification attempts can result in the following statuses:
StatusDescription
APPROVEDOTP verified successfully.
INVALIDIncorrect OTP code supplied.
EXPIREDOTP validity period has elapsed.
ALREADY_USEDOTP has already been successfully verified.
MAX_ATTEMPTS_REACHEDVerification limit exceeded.
NOT_FOUNDOTP session does not exist.

Workspace Isolation

OTP sessions are isolated by workspace. A workspace can only:
  • Request OTPs using its own API key
  • Verify OTPs generated within its own workspace
  • Access sessions associated with its own credentials
Cross-workspace access is not permitted.

Security Best Practices

  • Always use HTTPS when transmitting OTPs.
  • Never expose API keys in client-side applications.
  • Do not log OTP codes in plaintext.
  • Verify OTPs immediately after delivery.
  • Treat session identifiers as sensitive credentials.
  • Expired or used OTPs should not be reused.

Next Steps

Request OTP

Generate and deliver an OTP.

Verify OTP

Verify an OTP using a session identifier.