The latest articles on DEV Community by Tom Brown (@tomdevbrown). https://dev.to/tomdevbrown https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3990779%2F2d59ebfb-5c00-45e7-a925-6a989c57de9d.png https://dev.to/tomdevbrown en Tom Brown Thu, 18 Jun 2026 11:24:19 +0000 https://dev.to/tomdevbrown/how-to-make-production-ready-otp-handling-system-1g5e https://dev.to/tomdevbrown/how-to-make-production-ready-otp-handling-system-1g5e <p>Handling an OTP (One-Time Password) flow requires a clean sequence so you don't run into race conditions, like a user trying to verify a token before it's securely saved in your state or database.</p> <p>Here is how you structure a production-ready OTP management lifecycle using <code>auth-verify</code>.</p> <h2> Installation </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>auth-verify </code></pre> </div> <h2> Initialize the library: </h2> <h3> Step 1. </h3> <p>First, bring in the library and configure the token storage. For development, memory works fine, but use redis or a database token store in production so your OTPs survive server restarts.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">AuthVerify</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">auth-verify</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">auth</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AuthVerify</span><span class="p">({</span> <span class="na">storeTokens</span><span class="p">:</span> <span class="dl">"</span><span class="s2">memory</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// 'redis' is highly recommended for production</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">"</span><span class="s2">5m</span><span class="dl">"</span> <span class="c1">// OTP automatically expires after 5 minutes</span> <span class="p">});</span> </code></pre> </div> <h2> Configure your transport channel: </h2> <h3> Step 2. </h3> <p>Set up how the OTP actually gets to the user. You need to provide your service credentials (like SMTP for emails or API keys for SMS).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">auth</span><span class="p">.</span><span class="nx">otp</span><span class="p">.</span><span class="nf">sender</span><span class="p">({</span> <span class="na">via</span><span class="p">:</span> <span class="dl">'</span><span class="s1">email</span><span class="dl">'</span><span class="p">,</span> <span class="na">sender</span><span class="p">:</span> <span class="dl">'</span><span class="s1">app@yourdomain.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">pass</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EMAIL_APP_PASSWORD</span><span class="p">,</span> <span class="na">service</span><span class="p">:</span> <span class="dl">'</span><span class="s1">gmail</span><span class="dl">'</span> <span class="c1">// or custom SMTP settings</span> <span class="p">});</span> </code></pre> </div> <h2> Generate and send the OTP: </h2> <h3> Step 3. </h3> <p>Trigger this inside your <code>login/registration</code> route. The library automatically generates a secure crypto-random numeric code, maps it to the identifier (email/phone), and sends it out.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/auth/request-otp</span><span class="dl">"</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">email</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">success</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">otp</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">email</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">success</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Failed to send OTP</span><span class="dl">"</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">OTP sent successfully!</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span> <span class="p">});</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <h2> Verify the user's input: </h2> <h3> Step 4. </h3> <p>When the user submits the code from their screen, pass their identifier and the code to <code>.verify()</code>. The library automatically checks if the code matches, handles the expiration window, and destroys the OTP on success to prevent reuse.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/auth/verify-otp</span><span class="dl">"</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">code</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">isValid</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">otp</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">code</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isValid</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Invalid or expired OTP</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// OTP is valid! Mint your JWT or log the user in here</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Authenticated!</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span> <span class="p">});</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <h2> 💡 Production Gotchas to Keep in Mind </h2> <p><strong>Rate Limiting:</strong> <code>auth-verify</code> handles the generation and verification, but it won't stop a malicious actor from hitting your /request-otp endpoint 10,000 times to blow up your email/SMS billing. Always wrap your OTP routes in a rate-limiter middleware like express-rate-limit.</p> <p><strong>Replay Attacks:</strong> The library automatically handles deleting the OTP token storage space upon a successful validation so that the exact same code cannot be used twice.</p> javascript node security tutorial