Skip to main content
Senddio glossary · One-Time PasswordLast reviewed: May 2026

What is an OTP?

A one-time password (OTP) is a short, randomly-generated code that is valid only for a single use and a short period of time. Apps send OTPs by SMS, email or push notification to prove that a user owns the phone number or email address they signed up with.

Where OTPs are used

OTPs are most often used for two factor authentication (2FA) during login, for verifying a new phone number or email address, for authorising sensitive actions like password resets or large payments, and for guest checkout in e-commerce. The user receives a short code, types it back into the app, and the app confirms it matches what was sent.

Why OTPs work

OTPs work because the code is short, has a brief lifetime (usually 5 to 10 minutes), and can only be used once. An attacker who intercepts an old OTP cannot reuse it. The code is also tied to a specific user and channel, so guessing is statistically infeasible at scale.

Best practices for sending OTPs

Use 6 digits, valid for 10 minutes, single-use, rate-limited per phone number or email. Never log or display the code anywhere except to the intended user. Use a dedicated transactional sending channel with priority routing, because OTP delivery time directly affects login conversion.

How Senddio handles OTPs

Tag a send with type:otp and Senddio prioritises the message on its queue, redacts the code in the logs UI, and exposes a deterministic test-mode generator so your continuous integration tests can verify delivery without sending real messages. Typical end-to-end delivery in the US is under three seconds.

Related terms
A2P 10DLC Webhook
FAQ

OTP — FAQ

SMS OTP remains the most widely supported method and is acceptable for most consumer use cases. For high-security contexts (banking, crypto), pair SMS OTP with an authenticator app or hardware key. The risk to be aware of is SIM-swap attacks, where an attacker hijacks the victim's phone number.

Industry expectation is under five seconds. Under three seconds is excellent. Past ten seconds, login conversion drops sharply because users assume something is wrong and try again, which generates duplicate requests.

Senddio test-mode keys generate deterministic OTP codes. Your continuous integration tests send through Senddio with a test key, predict the code the system will produce, and assert it without anything reaching a real carrier.

Senddio handles the boring parts of OTP for you.

Free plan ships every channel and every AI feature. No card to start.

Start free Read the docs
300 emails/day · All 6 channels · AI credits · No card