SMS OTP

Six-digit, five-minute one-time codes delivered via Twilio. Useful for phone-first sign-in and for strengthening password logins on sensitive accounts.

Copy this quickstart guide as a prompt for LLMs to implement KolayLogin in your application.

Prereqs

Twilio: set KL_TWILIO_ACCOUNT_SID, KL_TWILIO_AUTH_TOKEN, KL_TWILIO_FROM_NUMBER.
Enable in the instance config: authConfig.sms_otp = true.

Send the code

curl -X POST $KL_API/v1/auth/sign-in/sms-otp \
  -H 'content-type: application/json' \
  -d '{"phone":"+14155551234"}'

Verify the code

curl -X POST $KL_API/v1/auth/sms/verify \
  -H 'content-type: application/json' \
  --cookie-jar cookies.txt \
  -d '{"phone":"+14155551234","code":"419205"}'

The verify call sets __client and __session cookies and returns the user/session ids.

Rate limiting

SMS sends are capped by KL_RATE_LIMIT_OTP_PER_MIN(default 5) per phone number. Attackers can't use your SMS budget as a DoS vector.

Security notes

Codes are salted with KL_OTP_PEPPERbefore hashing, so a DB leak doesn't reveal codes. Rotate the pepper periodically; in-flight codes from before the rotation will stop verifying (intentional).

← Previous

Magic link

OAuth (Google, GitHub)