OTP hash only
Codes are stored as hashes and should never appear in normal logs.
OTPilot is scoped as a verification delivery layer. It confirms channel ownership and sends signed results back to your product without becoming your auth authority.
Codes are stored as hashes and should never appear in normal logs.
Customer API keys are authenticated without storing raw tokens.
Webhook receivers can verify event authenticity before trusting the payload.
Requests are bounded to reduce abuse and brute-force verification attempts.
Delivery attempts and verification events create a reliable audit trail.
Channel choice respects country, segment and client constraints before optimization.
The customer product owns authentication and authorization. OTPilot only returns whether the verification challenge was approved, failed or expired.
Use the security model as the start of a DPA, data retention and channel legality discussion before production rollout.