README

Advanced, secure OTP (Email/SMS/WhatsApp) for Laravel. Hashed codes, TTL, one-time use, rate limiting, drivers, rules, and clean API.

Features

Random OTP with configurable digits and TTL
Store only hashed codes
One-time use via consumed_at
Rate limit sending/verification
Attempts counter & lockout pattern
HMAC signature binding (purpose + destination)
Channels (Mail by default) + extend SMS/WhatsApp
Migration, Config publish, Facade, Rule
Framework-agnostic tests via Testbench + Pest

Install

composer require amreljako/laravel-otp
php artisan vendor:publish --tag=otp-config
php artisan migrate

Quick Start

use Otp;

Otp::send([
  'destination' => 'user@example.com',
  'purpose' => 'login',
  'channel' => 'mail', // or your sms/whatsapp driver
  // 'ttl' => 300, 'digits' => 6, 'max_attempts' => 5,
]);

Verify:

$ok = Otp::verify('user@example.com', 'login', $request->code);
if ($ok) { /* grant access */ } else { /* error */ }

Validation Rule

$request->validate([
  'email' => ['required','email'],
  'code'  => ['required', new \Amreljako\Otp\Rules\ValidOtp('email','login')],
]);

Create your own SMS/WhatsApp channel

class MySmsChannel implements \Amreljako\Otp\Contracts\OtpChannel {
  public function send(\Amreljako\Otp\DTO\OtpPayload $p): bool {
    // call provider API using $p->destination and $p->message()
    return true;
  }
}

Then register in config/otp.php:

'channels' => [
  'mail' => \Amreljako\Otp\Channels\MailChannel::class,
  'sms'  => \App\Otp\Channels\MySmsChannel::class,
],

Security

No plaintext codes stored
Expires with expires_at
One-time consumption
Throttle abuse with RateLimiter
Optional HMAC signature

See SECURITY.md to report vulnerabilities.

Testing

composer install
vendor/bin/pest

amreljako / laravel-otp

Maintainers

Package info

Statistics

Security

README

Features

Install

Quick Start

Validation Rule

Create your own SMS/WhatsApp channel

Security

Testing

License