OTP

OTP Authentication

Request a code, receive it by email or SMS, enter it once — done. Each code expires after ten minutes and works exactly once. The system automatically locks out anyone who tries too many wrong guesses, making it impractical for attackers while staying completely invisible to real users.

Email OTPSMS OTPRate limitingAttempt lockout60s cooldownBrevoResend
01
Request a code
You ask for a code — we check you have not already requested one in the last 60 seconds.
02
Code created
A short code is generated and stored securely with a 10-minute countdown.
03
Delivered
The code arrives in your inbox or on your phone. Provider is chosen per organization.
04
Enter the code
You type the code. Each wrong attempt is counted.
05
Verified once
The code is checked and immediately deleted — it cannot be entered again.
06
Auto-lockout
Too many wrong attempts? The channel locks automatically. No guessing allowed.

Rate Limiting & Cooldowns

Each delivery channel (email, SMS) has an independent 60-second cooldown between sends. Failed verification attempts are counted and trigger a lockout after a configurable threshold (default 5). Lockouts are per-user, per-channel, and stored in Redis — no database write per attempt. Cooldown and lockout periods are configurable per application.

Multi-Provider Delivery

Email OTPs are delivered via Resend (primary) with automatic fallback to Brevo. SMS OTPs are delivered via Mobile Labs or Twilio depending on tenant configuration. Provider selection is per-tenant, allowing different organizations to use different delivery infrastructure with no code changes.

All Features
NFT-Encrypted IdentityWallet-Based LoginOAuth 2.0 / OIDCOTP AuthenticationOrganizations & Sub-OrganizationsImmutable Audit Trail

Ready to implement?

ZKey deploys on Railway in minutes. Postgres + Redis included.

Sign in to admin
← Previous
OAuth 2.0 / OIDC
Next →
Organizations & Sub-Organizations
© 2026 ZKey — Dishub TechnologiesSystem Admin →