Email OTP 2FA

Two-factor auth,
made simple

Send a 6-digit code by email, verify it on the way back. No SMS bill, no Twilio, no authenticator app required.

Everything in two API calls

Generation, hashing, expiry, single-use semantics, rate limiting — all handled. Your app just sends and verifies.

Two API calls

POST `/2fa/send`, POST `/2fa/verify`. That is the entire integration — no webhooks, no state to track.

send · verify

6-digit OTPs

Cryptographically random 6-digit codes generated on our side. Delivered straight to the user’s inbox.

10⁶ keyspace

Hashed & expiring

Codes are SHA-256 hashed at rest, single-use, and auto-expire after 10 minutes. Failed attempts invalidate after 5 tries.

SHA-256 · TTL 10min

Rate-limited

Built-in abuse protection: 5 codes per email per 10-minute window. No extra config needed.

5 / 10 min

No SMS bill

Email delivery — no per-SMS charge, no Twilio account, no carrier lock-in. Predictable monthly pricing.

No carrier fees

Bring your own email

Set `delivery: "api"` and we hand you the code in the response — send it through your own ESP for full branding control.

delivery: "api"

Why it matters

Why add 2FA at all

A password alone isn’t enough anymore. A second factor stops the most common SaaS attack and unlocks compliance in regulated industries.

Stop account takeover

Credential stuffing is the most common SaaS attack vector. A second factor breaks the attack chain — even if a password leaks.

Verify ownership

Confirm the user actually controls the email they signed up with. Stops typosquatting, fraud, and ghost accounts.

Cut password resets

Magic-link-style sign-in via OTP removes the “forgot password” loop. Less friction for users, less work for support.

Skip the Twilio bill

SMS 2FA runs $0.01–$0.15 per code depending on country. Email OTP runs flat-rate on your VerifyKit plan.

Meet auth regulations

PSD2 SCA, NIST 800-63, HIPAA, SOC 2 all push MFA. Email OTP counts as a “something you have” factor for most audits.

No app required

Works for every user without installing an authenticator app. Lower drop-off than TOTP, especially on first sign-in.

VerifyKit gives you the building blocks. Treating email OTP as a valid second factor under each framework is your call.

Pairs with

Validate the email
before you send the code

No point firing an OTP at user@gmial.com. Validate first, save the send, fix the typo, and only then verify.

  • SMTP-confirmed mailboxes only
  • Suggest typo fixes before the user submits
  • Stop wasting OTP sends on invalid addresses

Create your account

Start your free trial

your@email.com
or

Already have an account? Sign in

2FA included from Growth

No per-code fees. 2FA is bundled into every plan from Growth up. Cancel anytime · 14-day money-back guarantee.

20% off · first 3 months

Growth

$15.20/ mo
$1920% off
$0.0008 / code
  • 25,000 codes / month
  • SHA-256 hashed codes
  • 10-min auto-expiry
  • Rate limiting included
Get Growth
20% off · first 3 months

Pro

$39.20/ mo
$4920% off
$0.001 / code
  • 50,000 codes / month
  • Bring-your-own-email mode
  • Webhooks & callbacks
  • Unlimited API keys
Start with Pro
20% off · first 3 months

Unlimited

$199.20/ mo
$24920% off
$0.003 / code
  • 100,000 codes / month
  • All Pro features
  • Fair-use up to 5M validations
  • Dedicated support
Get Unlimited

Need more than 100k codes / month? Get in touch — we'll work out a plan that fits.

Ship 2FA this afternoon

Two endpoints. Six digits. Ten minutes. Get your API key and start verifying.