DEV Community: Raza Engage The latest articles on DEV Community by Raza Engage (@raza_engage). https://dev.to/raza_engage https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3737168%2F915efe35-634c-43d3-95a7-9c30b9829390.png DEV Community: Raza Engage https://dev.to/raza_engage en How to Implement OTP Authentication in Node.js: A Complete Guide for Secure User Verification Raza Engage Wed, 28 Jan 2026 10:44:02 +0000 https://dev.to/raza_engage/how-to-implement-otp-authentication-in-nodejs-a-complete-guide-for-secure-user-verification-3l40 https://dev.to/raza_engage/how-to-implement-otp-authentication-in-nodejs-a-complete-guide-for-secure-user-verification-3l40 <h2> Introduction </h2> <p>Picture this: You've just launched your new app, and within 24 hours, someone has already hijacked three user accounts. Static passwords alone aren't cutting it anymore. One-time passwords (OTPs) offer that extra security layer that keeps accounts safe even when credentials leak.</p> <p>OTP authentication has become the standard for securing everything from banking apps to food delivery services. If you're building any application that handles sensitive user data or transactions, you need a solid OTP implementation.</p> <p>This guide walks you through building a complete OTP authentication system in Node.js, covering everything from generating secure codes to handling SMS delivery failures. You'll learn the security pitfalls that trip up most developers, understand when to choose SMS over email, and see working code you can adapt for your own projects.</p> <h2> Table of Contents </h2> <ul> <li><a href="https://www.google.com/search?q=%23understanding-otp-authentication-fundamentals" rel="noopener noreferrer">Understanding OTP Authentication Fundamentals</a></li> <li><a href="https://www.google.com/search?q=%23setting-up-your-nodejs-environment" rel="noopener noreferrer">Setting Up Your Node.js Environment</a></li> <li><a href="https://www.google.com/search?q=%23generating-secure-otp-codes" rel="noopener noreferrer">Generating Secure OTP Codes</a></li> <li><a href="https://www.google.com/search?q=%23storing-otps-safely-with-redis" rel="noopener noreferrer">Storing OTPs Safely with Redis</a></li> <li><a href="https://www.google.com/search?q=%23implementing-sms-delivery" rel="noopener noreferrer">Implementing SMS Delivery</a></li> <li><a href="https://www.google.com/search?q=%23building-the-verification-endpoint" rel="noopener noreferrer">Building the Verification Endpoint</a></li> <li><a href="https://www.google.com/search?q=%23security-best-practices-that-matter" rel="noopener noreferrer">Security Best Practices That Matter</a></li> <li><a href="https://www.google.com/search?q=%23sms-vs-email-making-the-right-choice" rel="noopener noreferrer">SMS vs Email: Making the Right Choice</a></li> <li><a href="https://www.google.com/search?q=%23common-implementation-mistakes" rel="noopener noreferrer">Common Implementation Mistakes</a></li> </ul> <h2> Understanding OTP Authentication Fundamentals </h2> <p>OTP authentication works on a simple principle: generate a random code, send it to the user through a channel they control (like their phone), and verify they can provide that code back to you. This proves they have access to that channel, adding a second factor beyond just knowing a password.</p> <p>The typical flow looks like this:</p> <ol> <li> <strong>Request:</strong> A user requests an OTP during login or signup.</li> <li> <strong>Generation:</strong> Your server generates a random numeric code (usually 4-6 digits) and stores it temporarily with an expiration time.</li> <li> <strong>Delivery:</strong> The code is sent via SMS.</li> <li> <strong>Verification:</strong> The user submits the code back within the time window.</li> <li> <strong>Success:</strong> If the submitted code matches the stored one and hasn't expired, authentication succeeds.</li> </ol> <p>The security comes from three factors working together:</p> <ul> <li> <strong>Unpredictability:</strong> The code is randomly generated.</li> <li> <strong>Time-Sensitivity:</strong> It expires quickly (typically 5-10 minutes).</li> <li> <strong>Possession:</strong> It targets a device the user physically possesses.</li> </ul> <h2> Setting Up Your Node.js Environment </h2> <p>Before diving into code, let's get your development environment ready. We'll use <strong>Express.js</strong> for the web framework, <strong>Redis</strong> for temporary code storage (essential for TTL management), and <strong>crypto-random-string</strong> for secure generation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Initialize your project and install dependencies</span> npm init <span class="nt">-y</span> npm <span class="nb">install </span>express redis dotenv crypto-random-string axios npm <span class="nb">install</span> <span class="nt">--save-dev</span> nodemon </code></pre> </div> <p>Create a basic server structure that we'll build upon. This sets up Express with JSON parsing and a Redis connection.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// server.js</span> <span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">redis</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">redis</span><span class="dl">'</span><span class="p">);</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">dotenv</span><span class="dl">'</span><span class="p">).</span><span class="nf">config</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="c1">// Redis client setup for storing OTPs</span> <span class="kd">const</span> <span class="nx">redisClient</span> <span class="o">=</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">createClient</span><span class="p">({</span> <span class="na">url</span><span class="p">:</span> <span class="s2">`redis://</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REDIS_HOST</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">localhost</span><span class="dl">'</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REDIS_PORT</span> <span class="o">||</span> <span class="mi">6379</span><span class="p">}</span><span class="s2">`</span> <span class="p">});</span> <span class="nx">redisClient</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Redis connection error:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">err</span><span class="p">);</span> <span class="p">});</span> <span class="p">(</span><span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">redisClient</span><span class="p">.</span><span class="nf">connect</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Connected to Redis</span><span class="dl">'</span><span class="p">);</span> <span class="p">})();</span> <span class="kd">const</span> <span class="nx">PORT</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">PORT</span> <span class="o">||</span> <span class="mi">3000</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="nx">PORT</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`OTP server running on port </span><span class="p">${</span><span class="nx">PORT</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Your <code>.env</code> file should contain configuration for Redis and your SMS service credentials:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>REDIS_HOST=localhost REDIS_PORT=6379 SMS_API_TOKEN=your_api_token_here SMS_API_URL=https://papi.razaengage.com/SendSmsV2 </code></pre> </div> <h2> Generating Secure OTP Codes </h2> <p>The heart of your OTP system is the code generation function. This needs to be <strong>cryptographically random</strong>, not just mathematically random. Using JavaScript's <code>Math.random()</code> is a security vulnerability because those numbers are predictable if an attacker knows the seed.</p> <p>Here's a secure OTP generator that creates 6-digit codes using Node's crypto module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// utils/otpGenerator.js</span> <span class="kd">const</span> <span class="nx">cryptoRandomString</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">crypto-random-string</span><span class="dl">'</span><span class="p">);</span> <span class="kd">function</span> <span class="nf">generateOTP</span><span class="p">(</span><span class="nx">length</span> <span class="o">=</span> <span class="mi">6</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Generate a cryptographically secure random numeric string</span> <span class="k">return</span> <span class="nf">cryptoRandomString</span><span class="p">({</span> <span class="nx">length</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">numeric</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">generateOTPWithExpiry</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">otp</span> <span class="o">=</span> <span class="nf">generateOTP</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">expiresAt</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">+</span> <span class="mi">10</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">);</span> <span class="c1">// 10 minutes from now</span> <span class="k">return</span> <span class="p">{</span> <span class="na">code</span><span class="p">:</span> <span class="nx">otp</span><span class="p">,</span> <span class="na">expiresAt</span><span class="p">:</span> <span class="nx">expiresAt</span><span class="p">.</span><span class="nf">toISOString</span><span class="p">()</span> <span class="p">};</span> <span class="p">}</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">generateOTP</span><span class="p">,</span> <span class="nx">generateOTPWithExpiry</span> <span class="p">};</span> </code></pre> </div> <h2> Storing OTPs Safely with Redis </h2> <p>You need temporary storage for OTPs that automatically handles expiration. Redis is perfect for this because it offers built-in <strong>TTL (time-to-live)</strong> functionality. When the TTL expires, Redis automatically deletes the key, ensuring old codes can't be reused.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// utils/otpStorage.js</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">storeOTP</span><span class="p">(</span><span class="nx">phoneNumber</span><span class="p">,</span> <span class="nx">otpData</span><span class="p">,</span> <span class="nx">redisClient</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">key</span> <span class="o">=</span> <span class="s2">`otp:</span><span class="p">${</span><span class="nx">phoneNumber</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">ttlSeconds</span> <span class="o">=</span> <span class="mi">600</span><span class="p">;</span> <span class="c1">// 10 minutes</span> <span class="c1">// Store the OTP data as a JSON string</span> <span class="k">await</span> <span class="nx">redisClient</span><span class="p">.</span><span class="nf">setEx</span><span class="p">(</span> <span class="nx">key</span><span class="p">,</span> <span class="nx">ttlSeconds</span><span class="p">,</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">code</span><span class="p">:</span> <span class="nx">otpData</span><span class="p">.</span><span class="nx">code</span><span class="p">,</span> <span class="na">attempts</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="c1">// Track verification attempts</span> <span class="na">createdAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">()</span> <span class="p">})</span> <span class="p">);</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getOTP</span><span class="p">(</span><span class="nx">phoneNumber</span><span class="p">,</span> <span class="nx">redisClient</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">key</span> <span class="o">=</span> <span class="s2">`otp:</span><span class="p">${</span><span class="nx">phoneNumber</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">redisClient</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">key</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">data</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="k">return</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">incrementAttempts</span><span class="p">(</span><span class="nx">phoneNumber</span><span class="p">,</span> <span class="nx">redisClient</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">key</span> <span class="o">=</span> <span class="s2">`otp:</span><span class="p">${</span><span class="nx">phoneNumber</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getOTP</span><span class="p">(</span><span class="nx">phoneNumber</span><span class="p">,</span> <span class="nx">redisClient</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">data</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="nx">data</span><span class="p">.</span><span class="nx">attempts</span> <span class="o">+=</span> <span class="mi">1</span><span class="p">;</span> <span class="c1">// Get remaining TTL to preserve it</span> <span class="kd">const</span> <span class="nx">ttl</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">redisClient</span><span class="p">.</span><span class="nf">ttl</span><span class="p">(</span><span class="nx">key</span><span class="p">);</span> <span class="k">await</span> <span class="nx">redisClient</span><span class="p">.</span><span class="nf">setEx</span><span class="p">(</span><span class="nx">key</span><span class="p">,</span> <span class="nx">ttl</span><span class="p">,</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">data</span><span class="p">));</span> <span class="k">return</span> <span class="nx">data</span><span class="p">.</span><span class="nx">attempts</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">deleteOTP</span><span class="p">(</span><span class="nx">phoneNumber</span><span class="p">,</span> <span class="nx">redisClient</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">key</span> <span class="o">=</span> <span class="s2">`otp:</span><span class="p">${</span><span class="nx">phoneNumber</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="k">await</span> <span class="nx">redisClient</span><span class="p">.</span><span class="nf">del</span><span class="p">(</span><span class="nx">key</span><span class="p">);</span> <span class="p">}</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">storeOTP</span><span class="p">,</span> <span class="nx">getOTP</span><span class="p">,</span> <span class="nx">incrementAttempts</span><span class="p">,</span> <span class="nx">deleteOTP</span> <span class="p">};</span> </code></pre> </div> <p>Notice how we track verification attempts. This allows us to implement rate limiting later, preventing brute-force attacks where someone tries to guess the code.</p> <h2> Implementing SMS Delivery </h2> <p>Now comes the critical part: actually sending the OTP to users. SMS delivery needs to be reliable because if codes don't arrive, users can't authenticate.</p> <p>Based on the RazaEngage API documentation, we will use the <code>SendSmsV2</code> endpoint. This API supports both GET and POST requests, but we will use POST for better security and structure.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// services/smsService.js</span> <span class="kd">const</span> <span class="nx">axios</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">axios</span><span class="dl">'</span><span class="p">);</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">sendOTP</span><span class="p">(</span><span class="nx">phoneNumber</span><span class="p">,</span> <span class="nx">otpCode</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">apiUrl</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SMS_API_URL</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">https://papi.razaengage.com/SendSmsV2</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Format phone number (Ensure country code is present)</span> <span class="kd">const</span> <span class="nx">formattedNumber</span> <span class="o">=</span> <span class="nx">phoneNumber</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">91</span><span class="dl">'</span><span class="p">)</span> <span class="p">?</span> <span class="nx">phoneNumber</span> <span class="p">:</span> <span class="s2">`91</span><span class="p">${</span><span class="nx">phoneNumber</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">messageText</span> <span class="o">=</span> <span class="s2">`Your OTP code is </span><span class="p">${</span><span class="nx">otpCode</span><span class="p">}</span><span class="s2">. Valid for 10 minutes. Do not share this code.`</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="p">[</span><span class="nx">cite_start</span><span class="p">]</span><span class="c1">// Constructing the payload based on API docs [cite: 45]</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="p">[</span><span class="nx">cite_start</span><span class="p">]</span><span class="na">apiToken</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SMS_API_TOKEN</span><span class="p">,</span> <span class="c1">// [cite: 47]</span> <span class="p">[</span><span class="nx">cite_start</span><span class="p">]</span><span class="na">messageType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">3</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// "3" designates OTP traffic [cite: 66]</span> <span class="p">[</span><span class="nx">cite_start</span><span class="p">]</span><span class="na">messageEncoding</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// "1" for ASCII [cite: 58]</span> <span class="p">[</span><span class="nx">cite_start</span><span class="p">]</span><span class="na">destinationAddress</span><span class="p">:</span> <span class="nx">formattedNumber</span><span class="p">,</span> <span class="c1">// [cite: 50]</span> <span class="p">[</span><span class="nx">cite_start</span><span class="p">]</span><span class="na">sourceAddress</span><span class="p">:</span> <span class="dl">"</span><span class="s2">VERIFY</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// Sender ID [cite: 51]</span> <span class="p">[</span><span class="nx">cite_start</span><span class="p">]</span><span class="na">messageText</span><span class="p">:</span> <span class="nx">messageText</span><span class="p">,</span> <span class="c1">// [cite: 52]</span> <span class="p">[</span><span class="nx">cite_start</span><span class="p">]</span><span class="c1">// Optional: Callback URL for delivery reports [cite: 52]</span> <span class="na">callBackUrl</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">APP_URL</span><span class="p">}</span><span class="s2">/api/sms-callback`</span><span class="p">,</span> <span class="p">[</span><span class="nx">cite_start</span><span class="p">]</span><span class="na">userReferenceId</span><span class="p">:</span> <span class="s2">`otp_</span><span class="p">${</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()}</span><span class="s2">_</span><span class="p">${</span><span class="nx">phoneNumber</span><span class="p">}</span><span class="s2">`</span> <span class="c1">// [cite: 54]</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">axios</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="nx">apiUrl</span><span class="p">,</span> <span class="nx">payload</span><span class="p">);</span> <span class="p">[</span><span class="nx">cite_start</span><span class="p">]</span><span class="c1">// Check API response structure [cite: 67-76]</span> <span class="c1">// The API returns an array or object containing OperationCode and Status</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nx">response</span><span class="p">.</span><span class="nx">data</span><span class="p">;</span> <span class="c1">// Assuming response might be an array based on similar APIs, or direct object</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="nb">Array</span><span class="p">.</span><span class="nf">isArray</span><span class="p">(</span><span class="nx">result</span><span class="p">)</span> <span class="p">?</span> <span class="nx">result</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="p">:</span> <span class="nx">result</span><span class="p">;</span> <span class="p">[</span><span class="nx">cite_start</span><span class="p">]</span><span class="k">if </span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">OperationCode</span> <span class="o">===</span> <span class="mi">0</span> <span class="o">&amp;&amp;</span> <span class="nx">data</span><span class="p">.</span><span class="nx">Status</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">Success</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// [cite: 70, 71]</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">[</span><span class="nx">cite_start</span><span class="p">]</span><span class="na">messageId</span><span class="p">:</span> <span class="nx">data</span><span class="p">.</span><span class="nx">MessageId</span><span class="p">,</span> <span class="c1">// [cite: 69]</span> <span class="p">[</span><span class="nx">cite_start</span><span class="p">]</span><span class="na">remarks</span><span class="p">:</span> <span class="nx">data</span><span class="p">.</span><span class="nx">Remarks</span> <span class="c1">// [cite: 75]</span> <span class="p">};</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">Remarks</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">SMS submission failed</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">SMS sending error:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="p">);</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Failed to send OTP via SMS</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">sendOTP</span> <span class="p">};</span> </code></pre> </div> <h3> Ensuring Delivery Reliability </h3> <p>The <code>callBackUrl</code> parameter is valuable for production systems. It allows the SMS provider to push a delivery status (DLR) back to your server, confirming if the message was "Delivered," "Expired," or "Undeliverable" .</p> <p>When implementing messaging for critical authentication flows, look for <a href="https://www.razaengage.com/services/sms" rel="noopener noreferrer">SMS delivery platforms with automatic retry mechanisms</a> that can switch between carrier routes if the primary path fails. This ensures your OTPs arrive even during network congestion.</p> <h2> Building the Verification Endpoint </h2> <p>With code generation and SMS delivery in place, let's build the API endpoints that tie everything together.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// routes/otpRoutes.js</span> <span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nx">express</span><span class="p">.</span><span class="nc">Router</span><span class="p">();</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">generateOTPWithExpiry</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">../utils/otpGenerator</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">storeOTP</span><span class="p">,</span> <span class="nx">getOTP</span><span class="p">,</span> <span class="nx">incrementAttempts</span><span class="p">,</span> <span class="nx">deleteOTP</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">../utils/otpStorage</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">sendOTP</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">../services/smsService</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Simple in-memory rate limiter (Move to Redis for production)</span> <span class="kd">const</span> <span class="nx">requestCounts</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Map</span><span class="p">();</span> <span class="kd">function</span> <span class="nf">checkRateLimit</span><span class="p">(</span><span class="nx">phoneNumber</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">now</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">windowMs</span> <span class="o">=</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">;</span> <span class="c1">// 1 hour window</span> <span class="kd">const</span> <span class="nx">maxRequests</span> <span class="o">=</span> <span class="mi">5</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">key</span> <span class="o">=</span> <span class="s2">`rate:</span><span class="p">${</span><span class="nx">phoneNumber</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">requests</span> <span class="o">=</span> <span class="nx">requestCounts</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">key</span><span class="p">)</span> <span class="o">||</span> <span class="p">[];</span> <span class="kd">const</span> <span class="nx">recentRequests</span> <span class="o">=</span> <span class="nx">requests</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="nx">time</span> <span class="o">=&gt;</span> <span class="nx">now</span> <span class="o">-</span> <span class="nx">time</span> <span class="o">&lt;</span> <span class="nx">windowMs</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">recentRequests</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;=</span> <span class="nx">maxRequests</span><span class="p">)</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="nx">recentRequests</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">now</span><span class="p">);</span> <span class="nx">requestCounts</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">key</span><span class="p">,</span> <span class="nx">recentRequests</span><span class="p">);</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// POST /api/otp/request</span> <span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/request</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">phoneNumber</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">phoneNumber</span> <span class="o">||</span> <span class="o">!</span><span class="sr">/^</span><span class="se">\d{10,12}</span><span class="sr">$/</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">phoneNumber</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Valid phone number required</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">checkRateLimit</span><span class="p">(</span><span class="nx">phoneNumber</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">429</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Too many requests</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">otpData</span> <span class="o">=</span> <span class="nf">generateOTPWithExpiry</span><span class="p">();</span> <span class="c1">// Pass redisClient from app.locals or middleware</span> <span class="k">await</span> <span class="nf">storeOTP</span><span class="p">(</span><span class="nx">phoneNumber</span><span class="p">,</span> <span class="nx">otpData</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">redisClient</span><span class="p">);</span> <span class="k">await</span> <span class="nf">sendOTP</span><span class="p">(</span><span class="nx">phoneNumber</span><span class="p">,</span> <span class="nx">otpData</span><span class="p">.</span><span class="nx">code</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">OTP sent successfully</span><span class="dl">'</span><span class="p">,</span> <span class="na">expiresAt</span><span class="p">:</span> <span class="nx">otpData</span><span class="p">.</span><span class="nx">expiresAt</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">OTP request error:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Failed to send OTP</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// POST /api/otp/verify</span> <span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/verify</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">phoneNumber</span><span class="p">,</span> <span class="nx">code</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">storedData</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getOTP</span><span class="p">(</span><span class="nx">phoneNumber</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">redisClient</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">storedData</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">OTP expired or not found</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">storedData</span><span class="p">.</span><span class="nx">attempts</span> <span class="o">&gt;=</span> <span class="mi">3</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">deleteOTP</span><span class="p">(</span><span class="nx">phoneNumber</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">redisClient</span><span class="p">);</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Too many attempts. Request new OTP.</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Constant-time comparison should be used here for max security</span> <span class="k">if </span><span class="p">(</span><span class="nx">storedData</span><span class="p">.</span><span class="nx">code</span> <span class="o">===</span> <span class="nx">code</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">deleteOTP</span><span class="p">(</span><span class="nx">phoneNumber</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">redisClient</span><span class="p">);</span> <span class="c1">// Generate JWT or Session here</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Verified</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">incrementAttempts</span><span class="p">(</span><span class="nx">phoneNumber</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">redisClient</span><span class="p">);</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid OTP</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Verification failed</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">router</span><span class="p">;</span> </code></pre> </div> <h2> Security Best Practices That Matter </h2> <p>Security in OTP systems goes beyond just generating random codes. Here are the practices that prevent real-world attacks:</p> <ol> <li> <strong>Constant-Time Comparison:</strong> Use <code>crypto.timingSafeEqual()</code> when verifying codes. This prevents timing attacks where an attacker guesses the code by measuring how long the server takes to reject incorrect digits.</li> <li> <strong>Progressive Delays:</strong> Implement exponential backoff. After a failed attempt, force a 5-second wait. After a second failure, force 15 seconds. This kills brute-force efficiency.</li> <li> <strong>Burn After Reading:</strong> Never reuse OTP codes. Once a code is verified, delete it immediately.</li> <li> <strong>Logging &amp; Monitoring:</strong> Track OTP request spikes. If a single IP requests OTPs for 100 different numbers, block it.</li> </ol> <h2> SMS vs Email: Making the Right Choice </h2> <p>The choice between SMS and email depends on your specific use case.</p> <ul> <li> <strong>SMS Advantages:</strong> High open rates (98%) and immediate delivery. It is ideal for transactional security where speed is critical. It also ties identity to a physical SIM card, which is harder to mass-compromise than email accounts.</li> <li> <strong>SMS Disadvantages:</strong> Cost per message (varies by country) and potential vulnerability to SIM swapping.</li> <li> <strong>Email Advantages:</strong> Free and global. Good for non-urgent verifications like initial account activation.</li> <li> <strong>Email Disadvantages:</strong> Slower delivery, spam folder issues, and higher risk of account compromise chains (if email is hacked, the user is vulnerable).</li> </ul> <p>For authentication, <strong>SMS generally wins</strong> because user experience relies on immediacy. Users stuck waiting 2 minutes for an email code will abandon your app.</p> <h2> Common Implementation Mistakes </h2> <p>Even experienced developers make predictable mistakes:</p> <ol> <li> <strong>Predictable RNG:</strong> Using <code>Math.random()</code> or time-based seeds allows attackers to predict future codes.</li> <li> <strong>Client-Side Validation Only:</strong> Never validate OTPs on the client. The verification logic must live on the server.</li> <li> <strong>Logging OTPs:</strong> Leaving <code>console.log(otp)</code> in your production code is a massive security hole. Use environment variables to ensure debug logs only run in development.</li> <li> <strong>Ignoring Rate Limits:</strong> Without rate limits, your SMS budget will be drained by bot attacks in minutes.</li> </ol> <h2> Conclusion </h2> <p>Building secure OTP authentication requires attention to multiple layers: cryptographically random code generation, reliable SMS delivery infrastructure, and proper storage with automatic expiration. The implementation we've covered gives you production-ready code that handles these scenarios while avoiding common pitfalls.</p> <p>As you build your system, remember to test with real phone numbers in your target markets, as SMS delivery behavior can vary significantly by region and carrier.</p> <p><em>About the author: I write about technical infrastructure and SaaS growth strategies. At Raza Engage, we build the communication APIs that power secure, real-time user interactions for businesses globally.</em></p> webdev sms verificaiton node