How are some users receiving OTPs before the website enables “Send OTP” and before captcha completion?

Anurag Bansal — Wed, 17 Dec 2025 13:55:41 +0000

Hello experts,
I’m facing a confusing issue and would really appreciate technical insights from experienced developers or security professionals.

In system, the OTP sending port/slot officially opens at exactly 2:00 PM. Before that time, the website does not show the “Send OTP” option.

However, we’ve observed that some developers or API users are able to receive OTP codes earlier, around 1:58–1:59 PM, even though:

The “Send OTP” button is not yet enabled on the website

The email address is already attached (they don’t need to re-enter email or SIM number)

Captcha (required for both SMS and email OTP) has not yet been completed

OTP is still delivered successfully to email and SMS

This raises several questions:

How is it technically possible to trigger OTP generation before the frontend enables it?
Could this be done by:

Directly calling backend or OTP API endpoints?

Reusing an existing session, token, or cookie?

Predicting or bypassing captcha validation?

Time synchronization differences between frontend and backend servers?

OTP API not enforcing time-based or captcha checks

Missing server-side validation

Rate-limit or session validation flaws

How can this technically be done, and can you share any APIs, request flows, or procedures that would allow triggering OTP generation before the frontend option appears and before captcha completion?

Any explanation of how this might happen, or guidance on the technical flow involved, would be extremely helpful.

Thanks in advance for your guidance.

DEV Community: Anurag Bansal