One Time Passwords

Customers of DailyStory can utilize their DailyStory email and SMS marketing settings to add one time password (OTP) support for their own applications.

What is a one time password?

A One-Time Password (OTP) is a security mechanism where a user is given a password (or numeric code) that is valid for only one login session or transaction. After it's used—or after a short time window—it becomes invalid.

Important

The following content includes examples that use the DailyStory API. An API key is required.

Generating a One Time Password

Make an HTTP POST request to the Send One Time Password API end point. It must include either an email, mobile number or both. If both are present, it will default to an SMS first.

For example:

HTTP POST https://us-s.dailystory.com/api/v1/verification/?email=test@example.com&mobile=15551234567899 HTTP 200 OK { "Status": true, "Message": "", "Response": { "dsid": "3c095687f9c844d58826d5a4e994215d" } }

The recipient will receive an SMS or email with a 6 character OTP code that is valid for 15 minutes.

Send Cooldown

Once an OTP is sent to a mobile number, the API enforces a 5-minute cooldown before another OTP can be sent to the same number. A POST request made within the cooldown window returns HTTP 200 with an empty response and no OTP is sent.

Recommended

Store the dsid returned from the send request and prompt the user to check their email or SMS before allowing a resend attempt.

Rate Limiting

To prevent abuse, DailyStory enforces a rate limit on OTP generation per contact. If 10 or more OTP requests are made for the same contact within a 3-hour window, the contact is locked out and further requests will return an error until the window expires.

HTTP 400 { "Status": false, "Message": "The maximum number of unsuccessful OTP attempts was exceeded.", "Response": {} }

Validating a One Time Password

To validate an OTP you will need both the OTP code and the dsid associated with the OTP.

Make an HTTP GET request to the following API URL. In the example below the DSID is part of the URL and the otp that was received is passed in as a parameter:

For example, to verify the OTP 629316 for the dsid 3c095687f9c844d58826d5a4e994215d:

GET https://us-1.dailystory.com/api/v1/verification/3c095687f9c844d58826d5a4e994215d?otp=629316 HTTP 200 OK { "Status": true, "Message": "The OTP is valid.", "Response": {} }

If the OTP is invalid, or the validation fails:

HTTP 400 { "Status": false, "Message": "The OTP is invalid.", "Response": {} }

Single-Use

An OTP is immediately invalidated after a successful validation and cannot be reused. Any subsequent validation attempt with the same code will return an invalid response.

Expiry

OTPs are valid for 15 minutes from the time they are generated. An expired OTP returns the same invalid response as an incorrect code — the two cases are not distinguished in the API response.

Error Responses

The following table summarizes error conditions returned by the OTP API:

Condition	HTTP Status	Message
Invalid email format	400	Cannot send OTP to contact with an invalid email address
Invalid mobile number format	400	Cannot send OTP to contact with an invalid mobile phone number
Rate limit exceeded	400	The maximum number of unsuccessful OTP attempts was exceeded.
OTP expired	400	The OTP is invalid.
OTP incorrect	400	The OTP is invalid.
No pending OTP for dsid	400	The OTP is invalid.

Frequently Asked Questions

Below are some frequently asked questions about one time passwords in DailyStory.

What happens when an OTP expires?

After 15 minutes the OTP is no longer valid. Attempting to validate an expired OTP returns the same invalid response as an incorrect code. The user must request a new OTP.

Can the same OTP be used more than once?

No. An OTP is deleted immediately after a successful validation. Any subsequent attempt to use the same code will return an invalid response.

What triggers the rate limit lockout?

10 or more OTP generation requests for the same contact within a 3-hour window will trigger a lockout. The lockout clears automatically after the 3-hour window expires.

Why didn't my customer receive a new OTP?

A 5-minute cooldown is enforced between sends to the same mobile number. If a send request is made within that window, the API returns a successful response but no OTP is sent. Ask the customer to wait 5 minutes before requesting a new code.

What happens if an invalid or mismatched OTP is provided during validation?

If an incorrect OTP (e.g., 123456) is submitted and does not match the code assigned to the contact, the current OTP is immediately invalidated. Even if a subsequent attempt uses the correct code, the validation will fail because the previous mismatch triggered a security reset.