Two-factor auth,
made simple
Send a 6-digit code by email, verify it on the way back. No SMS bill, no Twilio, no authenticator app required.
Everything in two API calls
Generation, hashing, expiry, single-use semantics, rate limiting — all handled. Your app just sends and verifies.
Two API calls
POST `/2fa/send`, POST `/2fa/verify`. That is the entire integration — no webhooks, no state to track.
send · verify
6-digit OTPs
Cryptographically random 6-digit codes generated on our side. Delivered straight to the user’s inbox.
10⁶ keyspace
Hashed & expiring
Codes are SHA-256 hashed at rest, single-use, and auto-expire after 10 minutes. Failed attempts invalidate after 5 tries.
SHA-256 · TTL 10min
Rate-limited
Built-in abuse protection: 5 codes per email per 10-minute window. No extra config needed.
5 / 10 min
No SMS bill
Email delivery — no per-SMS charge, no Twilio account, no carrier lock-in. Predictable monthly pricing.
No carrier fees
Bring your own email
Set `delivery: "api"` and we hand you the code in the response — send it through your own ESP for full branding control.
delivery: "api"
Why add 2FA at all
A password alone isn’t enough anymore. A second factor stops the most common SaaS attack and unlocks compliance in regulated industries.
Stop account takeover
Credential stuffing is the most common SaaS attack vector. A second factor breaks the attack chain — even if a password leaks.
Verify ownership
Confirm the user actually controls the email they signed up with. Stops typosquatting, fraud, and ghost accounts.
Cut password resets
Magic-link-style sign-in via OTP removes the “forgot password” loop. Less friction for users, less work for support.
Skip the Twilio bill
SMS 2FA runs $0.01–$0.15 per code depending on country. Email OTP runs flat-rate on your VerifyKit plan.
Meet auth regulations
PSD2 SCA, NIST 800-63, HIPAA, SOC 2 all push MFA. Email OTP counts as a “something you have” factor for most audits.
No app required
Works for every user without installing an authenticator app. Lower drop-off than TOTP, especially on first sign-in.
VerifyKit gives you the building blocks. Treating email OTP as a valid second factor under each framework is your call.
Validate the email
before you send the code
No point firing an OTP at user@gmial.com. Validate first, save the send, fix the typo, and only then verify.
- SMTP-confirmed mailboxes only
- Suggest typo fixes before the user submits
- Stop wasting OTP sends on invalid addresses
Create your account
Start your free trial
Already have an account? Sign in
2FA included from Growth
No per-code fees. 2FA is bundled into every plan from Growth up. Cancel anytime · 14-day money-back guarantee.
Growth
- 25,000 codes / month
- SHA-256 hashed codes
- 10-min auto-expiry
- Rate limiting included
Pro
- 50,000 codes / month
- Bring-your-own-email mode
- Webhooks & callbacks
- Unlimited API keys
Unlimited
- 100,000 codes / month
- All Pro features
- Fair-use up to 5M validations
- Dedicated support
Need more than 100k codes / month? Get in touch — we'll work out a plan that fits.
Ship 2FA this afternoon
Two endpoints. Six digits. Ten minutes. Get your API key and start verifying.