Verifying OTPs
The Verify OTP workflow action checks a submitted code against the most recently generated OTP for a contact.
Workflow Action: Verify OTP
Add the Verify OTP action after the point in your workflow where the contact submits their code. The action validates the code and returns the result so your workflow can branch accordingly.
What You Can Configure
When adding the Verify OTP action to your workflow, you can choose whether to automatically delete the OTP after successful verification. This is useful for compliance or data minimization requirements.
How Verification Works
When a code is submitted, the app checks it in this order:
- Looks up the code - finds the most recent unverified OTP for the contact
- Checks attempts - rejects if too many failed attempts have already been made
- Checks expiration - rejects if the code has passed its expiry time
- Compares the code - checks whether the submitted code matches (case-sensitive)
- Marks as verified - on success, records that verification is complete
Attempt Limiting
Each OTP allows a maximum of 5 verification attempts. After 5 incorrect submissions, the code is permanently locked regardless of whether it has expired. This prevents brute-force guessing.
Workflow Branching
After the Verify OTP action runs, you can branch your workflow based on the result:
- Valid - the code matched and hasn't expired. Proceed with the verified action (e.g., confirm an email address, approve a transaction).
- Expired - the code was correct but has passed its expiry time. You might offer to resend a new code.
- Invalid - the wrong code was entered. You can allow the contact to retry, or lock them out if they've used too many attempts.
The action also tells you how many attempts remain, which you can use to show a warning before lockout.
Thank you for your feedback!
Your input helps us improve our documentation.
Was this page helpful?
Great! What worked best for you? How can we improve our product?
- Previous
- Generating Otps
- Next
- Settings