SMS OTP
Six-digit, five-minute one-time codes delivered via Twilio. Useful for phone-first sign-in and for strengthening password logins on sensitive accounts.
Copy this quickstart guide as a prompt for LLMs to implement Authfyio in your application.
Prereqs
- Twilio: set
AF_TWILIO_ACCOUNT_SID,AF_TWILIO_AUTH_TOKEN,AF_TWILIO_FROM_NUMBER. - Enable in the instance config:
authConfig.sms_otp = true.
Send the code
curl -X POST $AF_API/v1/auth/sign-in/sms-otp \
-H 'content-type: application/json' \
-d '{"phone":"+14155551234"}'Verify the code
curl -X POST $AF_API/v1/auth/sms/verify \
-H 'content-type: application/json' \
--cookie-jar cookies.txt \
-d '{"phone":"+14155551234","code":"419205"}'The verify call sets __client and __session cookies and returns the user/session ids.
Rate limiting
SMS sends are capped by AF_RATE_LIMIT_OTP_PER_MIN(default 5) per phone number. Attackers can't use your SMS budget as a DoS vector.
Security notes
Codes are salted with
AF_OTP_PEPPERbefore hashing, so a DB leak doesn't reveal codes. Rotate the pepper periodically; in-flight codes from before the rotation will stop verifying (intentional).