Hash-only OTP
Codes are stored as hashes and never appear in regular platform logs.
OTPilot is a delivery and verification layer. It confirms channel ownership and returns a signed result without becoming your auth server.
Codes are stored as hashes and never appear in regular platform logs.
Clients are authenticated without raw tokens stored on the server.
Receivers verify the HMAC signature and timestamp before trusting the payload.
Requests are bounded against abuse and code brute force.
Delivery attempts and verification events form a reliable audit trail.
The route considers channel availability, client settings, and user choice.
Authentication and authorization are yours. OTPilot only returns the challenge result: approved, failed, or expired.
OTPilot stores only what a code check needs, limits the challenge lifetime, signs events, and separates the verification result from your auth decisions.
Only what the challenge and the audit need is stored.
Event and delivery-log retention follows the client policy.
Results and webhooks are verifiable by signature.
OTPilot confirms the challenge, the access decision stays in your product.
For a pilot and a production launch we agree on the boundaries in advance:
We will walk through the data model, webhook signatures, retention, rate limits, and responsibility boundaries before production.