Verify the code a customer entered against an otp_id from Send OTP.
Endpoint
POST https://xwialxkobwygraiddimj.supabase.co/functions/v1/public-api/v1/otp/verify
Request body
The otp_id returned when the code was sent.
The code the customer entered.
Response
Whether the code matched and hasn’t expired.
Only present when valid is false — attempts left before this otp_id locks.
curl https://xwialxkobwygraiddimj.supabase.co/functions/v1/public-api/v1/otp/verify \
-H "Authorization: Bearer tvk_live_xxxxxxxxxxxxxxxx" \
-H "Content-Type: application/json" \
-d '{ "otp_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6", "code": "482913" }'
{
"valid": false,
"attempts_remaining": 3
}
Each otp_id allows a limited number of incorrect attempts (default 5). Once exhausted, verification returns the otp_max_attempts error instead of valid: false — send a new code rather than retrying indefinitely. An expired code returns otp_expired. Both are structured errors, not valid: false — see Errors.
What happens on success
A successful verification fires an otp.verified webhook event if you’ve registered one — see Webhooks.