Skip to main content
Verify the code a customer entered against an otp_id from Send OTP.

Endpoint

POST https://xwialxkobwygraiddimj.supabase.co/functions/v1/public-api/v1/otp/verify

Request body

otp_id
string
required
The otp_id returned when the code was sent.
code
string
required
The code the customer entered.

Response

valid
boolean
Whether the code matched and hasn’t expired.
attempts_remaining
integer
Only present when valid is false — attempts left before this otp_id locks.
cURL
curl https://xwialxkobwygraiddimj.supabase.co/functions/v1/public-api/v1/otp/verify \
  -H "Authorization: Bearer tvk_live_xxxxxxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{ "otp_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6", "code": "482913" }'
Response (correct code)
{
  "valid": true
}
Response (wrong code)
{
  "valid": false,
  "attempts_remaining": 3
}
Each otp_id allows a limited number of incorrect attempts (default 5). Once exhausted, verification returns the otp_max_attempts error instead of valid: false — send a new code rather than retrying indefinitely. An expired code returns otp_expired. Both are structured errors, not valid: false — see Errors.

What happens on success

A successful verification fires an otp.verified webhook event if you’ve registered one — see Webhooks.