One-time password (OTP) API¶
The one-time password (OTP) authentication system provides APIs for OTP sending and OTP verification, allowing you to apply OTP authentication to your game.
URL¶
| Server | URL |
|---|---|
| Production | https://otp.qpyou.cn |
| Sandbox | https://sandbox-otp.qpyou.cn |
Authentication methods¶
To use the APIs provided by the OTP sending system, you must first obtain an authentication token (API KEY). The authentication token is created automatically when the game is registered in App Center. The authentication token follows the JSON Web Token (JWT) specification and can be used indefinitely because it has no expiration time.
Send OTP¶
Send OTP messages via short message service (SMS)¶
- Basic Info
| Method | POST |
|---|---|
| URL | /otp/send |
- Request Header
| Field | Type |
|---|---|
| Content-Type | application/json |
| Authorization | bearer |
| Topic | The Sending ID registered or modified in Hive Console > Notification > SMS OTP > Sending information settings |
- Callback required when you send OTP SMS directly
If the app developer sends OTP SMS messages directly instead of having the OTP system send them, you can receive the information required for sending via a callback. If you select Direct sending in Hive Console > Notification > SMS OTP > Sending information settings, the data below is delivered in JSON format in the request body to the registered callback URL. For the setup procedure, see Direct sending. Also review the sample callback request and the data sent.
- Request Body
| Field | Type | Required | Description |
|---|---|---|---|
| to | String | O | The receiver's phone number |
| toCountryNo | String | O | The receiver's country code |
| retry | Boolean | X | This field indicates the existence of your trial to send OTP SMS to the same receiver via this API. If this field is left empty, it is set to true if this API was called more than once for the same receiver within the last 5 minutes, and set to false if not. |
| lookup | Boolean | X | This field indicates whether to verify to is in valid format for a phone number, and the default values is false. If it is true, the API response time would approximately be 250ms ~ 2000ms due to the verification process, and normally within 200ms if it is false. |
| lang | String | X | This is language code, and the default value is en. the valid language codes:
|
- Response Header
| Field | Type |
|---|---|
| Content-Type | application/json |
- Response Body
| Field | Type | Description |
|---|---|---|
| otp | String | OTP number |
| provider | String | SMS provider |
| expiry | String | OTP validity time |
| expiryTimestamp | Long | OTP expiration timestamp (in seconds) |
- Request Sample
The following example shows how to call the OTP SMS sending API with the Topic header and recipient information.
//sample 1
curl --location 'https://otp.qpyou.cn/otp/send'
--header 'Authorization: Bearer AUTH_TOKNE_VALUE'
--header 'Topic: testTopicName'
--header 'Content-Type: application/json'
--data '{
"to" : "01012345678",
"toCountryNo" : "82",
"lang" : "ko"
}'
//sample 2
curl --location 'https://otp.qpyou.cn/otp/send'
--header 'Authorization: Bearer AUTH_TOKNE_VALUE'
--header 'Topic: testTopicName'
--header 'Content-Type: application/json'
--data '{
"to" : "01012345678",
"toCountryNo" : "82",
"lang" : "ko",
"retry" : true,
"lookup" : true
}'
- Response Sample
When an OTP SMS sending request is processed successfully, you receive the following response body.
{
"otp" : "123456",
"provider" : "YOUR_SMS_PROVIDER",
"expiry" : "2026-03-23T11:00:48.533695818+09:00",
"expiryTimestamp" : 1774231248
}
Callback example¶
If the app developer is configured for direct sending, the registered callback URL receives the following request body.
curl --location 'https://{your_callback_url}'
--header 'Content-Type: application/json'
--data '{
"to":"01012345678",
"toCountryNo":"82",
"lang":"en",
"retry":null,
"lookup":false,
"serviceName":"LocalTest",
"otp":"809881",
"provider":"DIRECTSEND",
"expiry":"2024-06-26T11:36:29.680680500+09:00[Asia/Seoul]",
"expiryTimestamp":1719369389680
}'
Callback data informaton¶
| NAME | TYPE | REQUIRED | DESCRIPTION |
|---|---|---|---|
| expiry | String | Yes | OTP validity period (e.g., 2024-06-25T11:39:43.076573600+09:00[Asia/Seoul]) |
| expiryTimestamp | Long | O | OTP expiration timestamp (in milliseconds) (Example: 1719283183076) |
| lang | String | No | Language code, default is en |
| lookup | boolean | No | Verify if the to value is a valid phone number format, default is false |
| otp | String | Yes | OTP numvber |
| provider | String | Yes | SMS provider, fixed value DIRECTSEND is used for direct sending |
| retry | boolean | No | Retry option |
| serviceName | String | Yes | Service name set in the sending information settings menu (in English) |
| to | String | Yes | Recipient phone number |
| toCountryNo | String | Yes | Recipient country code |
Error response codes¶
| HTTP Status | id | error | Description |
|---|---|---|---|
| 400 | 40004 | VALIDATION_FAIL | Returned when request body validation fails. |
| 400 | 40003 | INVALID_PHONE_NUMBER | Returned when phone number validation fails. |
| 422 | 42202 | NO_TOPIC | Returned when the value passed in the Topic header is invalid. |
| 409 | 40902 | DUPLICATE_OTP_EXISTS | If a duplicate OTP issuance request for the same verification target is detected within a certain period, the DUPLICATE_OTP_EXISTS error is returned. Try again after up to 15 seconds. |
| 429 | 42903 | SMS_LIMIT_EXCEEDED | Returned when requests exceed the sending limit configured for the same number within 24 hours. The response message may include the configured limit value. |
When the Topic value is invalid¶
This error occurs when the Topic value in the request header does not match the Sending ID registered in Hive Console. Check the Topic header value and the Sending ID registered in Hive Console > Notification > SMS OTP > Sending information settings.
When the same OTP is generated twice¶
If you send the same request twice within the same time window, the same OTP is generated. In this case, the first request succeeds and the second fails with DUPLICATE_OTP_EXISTS. Send the same request again in the next time window after the current one ends.
{
"id" : 40902,
"error" : "DUPLICATE_OTP_EXISTS",
"reason" : "Already sent OTP to this phone number."
}
When the 24-hour sending limit is exceeded¶
This error occurs when the number of sends allowed to the same phone number within 24 hours is exceeded. This limit is not fixed. The count in the response message in the example below is only an example of the configured limit value. Check the daily sending limit in Hive Console > Notification > SMS OTP > Sending information settings.
{
"id" : 42903,
"error" : "SMS_LIMIT_EXCEEDED",
"reason" : "Too many requests in 24 hours. (Can not exceed 10 times)"
}
Verify OTP¶
| Method | POST |
|---|---|
| URL | /otp/verify |
- Request Header
| Field | Type |
|---|---|
| Content-Type | application/json |
| Authorization | bearer |
| Topic | The Sending ID registered or modified in Hive Console > Notification > SMS OTP > Sending information settings |
- Request Body
| Field | Type | Required | Description |
|---|---|---|---|
| toCountryNo | String | O | Recipient country code |
| to | String | O | Recipient phone number |
| otp | String | O | Received OTP |
- Response Header
| Field | Type |
|---|---|
| Content-Type | application/json |
- Response Body
| Field | Type | Desctiprion |
|---|---|---|
| result | boolean | OTP verification result |
- Request Sample 1
The following example shows how to verify an OTP by passing the recipient phone number and OTP code.
// sample 1
curl --location 'https://otp.qpyou.cn/otp/verify'
--header 'Authorization: bearer AUTH_TOKEN_VALUE'
--header 'Topic: testTopicName'
--header 'Content-Type: application/json'
--data '{
"toCountryNo" : "82",
"to" : "01036012891",
"otp" : "123456"
}'
- Response Sample
If the OTP matches, the response body is as follows.