How do I integrate one-time passwords into an existing Laravel auth system?

Use the `HasOneTimePasswords` trait on your User model and publish the migrations. The package provides methods like `sendOneTimePassword()` and `attemptLoginUsingOneTimePassword()` to replace or supplement password-based auth. For hybrid flows (password + OTP), trigger OTP after password validation.

Can I send OTPs via SMS instead of email?

Yes. Extend the default `OneTimePasswordNotification` to use a custom notification class (e.g., `ViaSms`). Configure your SMS gateway (e.g., Twilio) in Laravel’s notifications and update the notification channel in the OTP notification class.

What Laravel versions does this package support?

The package supports Laravel 10.x and 11.x. Check the [GitHub repo](https://github.com/spatie/laravel-one-time-passwords) for the latest compatibility matrix. Older versions (Laravel 9.x) may require a legacy branch or fork.

How do I customize the OTP length or expiration time?

Override the `PasswordGenerator` class to change digit length (e.g., 8 digits). For expiration, modify the `OneTimePassword` model’s `expires_at` logic or use the `expiresInMinutes()` method in `CreateOneTimePasswordAction`. Default is 2 minutes.

Is the Livewire component required, or can I build my own UI?

The Livewire component is optional. The package provides raw methods (`sendOneTimePassword()`, `attemptLoginUsingOneTimePassword()`) to build custom UIs. For Flux users, the package auto-detects it and replaces the input with Flux’s OTP component.

How do I handle failed OTP attempts securely?

The package includes rate limiting (5 attempts/minute by default) and IP/user-agent binding. For stricter security, override the `OriginEnforcer` or implement custom logic in `ConsumeOneTimePasswordAction`. Log failed attempts via the `FailedToConsumeOneTimePassword` event.

What happens if an OTP email fails to send?

Failed email delivery won’t block the OTP flow by default. Implement a fallback (e.g., SMS or in-app notification) by catching exceptions in your notification logic. Use the `OneTimePasswordSuccessfullyConsumed` event to trigger recovery workflows if needed.

Can I test OTP flows without sending real emails/SMS?

Yes. Mock notifications in tests using Laravel’s `NotificationFake`. Example: `$this->withoutExceptionHandling()->fake(Notification::class)`. Test rate limiting with `$this->actingAs($user)->post('/otp', [...])` and assert failed attempts.

How does this package handle session security post-OTP login?

The package recommends manually regenerating the session ID after OTP login (`$request->session()->regenerate()`). This prevents session fixation. Add this to your OTP success logic or a global middleware for all auth routes.

Are there alternatives to this package for Laravel OTP auth?

Alternatives include `laravel-2fa` (for 2FA) or `overtrue/laravel-otp` (SMS-focused). However, Spatie’s package is Laravel-native, modular, and includes a ready-to-use Livewire/Flux UI. Choose based on whether you need email-only, SMS, or hybrid OTP flows.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Laravel One Time Passwords Laravel Package

spatie/laravel-one-time-passwords

Generate and verify secure one-time passwords (6‑digit by default) in Laravel. Sends OTPs via mail notifications (extendable to SMS/other channels) and includes a Livewire login component. Optional Flux support provides an enhanced OTP input UI.

View on GitHub

Deep Wiki

Context7

Use one time passwords (OTP) to authenticate in your Laravel app

Frequently asked questions about Laravel One Time Passwords

How do I integrate one-time passwords into an existing Laravel auth system?: Use the `HasOneTimePasswords` trait on your User model and publish the migrations. The package provides methods like `sendOneTimePassword()` and `attemptLoginUsingOneTimePassword()` to replace or supplement password-based auth. For hybrid flows (password + OTP), trigger OTP after password validation.
Can I send OTPs via SMS instead of email?: Yes. Extend the default `OneTimePasswordNotification` to use a custom notification class (e.g., `ViaSms`). Configure your SMS gateway (e.g., Twilio) in Laravel’s notifications and update the notification channel in the OTP notification class.
What Laravel versions does this package support?: The package supports Laravel 10.x and 11.x. Check the [GitHub repo](https://github.com/spatie/laravel-one-time-passwords) for the latest compatibility matrix. Older versions (Laravel 9.x) may require a legacy branch or fork.
How do I customize the OTP length or expiration time?: Override the `PasswordGenerator` class to change digit length (e.g., 8 digits). For expiration, modify the `OneTimePassword` model’s `expires_at` logic or use the `expiresInMinutes()` method in `CreateOneTimePasswordAction`. Default is 2 minutes.
Is the Livewire component required, or can I build my own UI?: The Livewire component is optional. The package provides raw methods (`sendOneTimePassword()`, `attemptLoginUsingOneTimePassword()`) to build custom UIs. For Flux users, the package auto-detects it and replaces the input with Flux’s OTP component.
How do I handle failed OTP attempts securely?: The package includes rate limiting (5 attempts/minute by default) and IP/user-agent binding. For stricter security, override the `OriginEnforcer` or implement custom logic in `ConsumeOneTimePasswordAction`. Log failed attempts via the `FailedToConsumeOneTimePassword` event.
What happens if an OTP email fails to send?: Failed email delivery won’t block the OTP flow by default. Implement a fallback (e.g., SMS or in-app notification) by catching exceptions in your notification logic. Use the `OneTimePasswordSuccessfullyConsumed` event to trigger recovery workflows if needed.
Can I test OTP flows without sending real emails/SMS?: Yes. Mock notifications in tests using Laravel’s `NotificationFake`. Example: `$this->withoutExceptionHandling()->fake(Notification::class)`. Test rate limiting with `$this->actingAs($user)->post('/otp', [...])` and assert failed attempts.
How does this package handle session security post-OTP login?: The package recommends manually regenerating the session ID after OTP login (`$request->session()->regenerate()`). This prevents session fixation. Add this to your OTP success logic or a global middleware for all auth routes.
Are there alternatives to this package for Laravel OTP auth?: Alternatives include `laravel-2fa` (for 2FA) or `overtrue/laravel-otp` (SMS-focused). However, Spatie’s package is Laravel-native, modular, and includes a ready-to-use Livewire/Flux UI. Choose based on whether you need email-only, SMS, or hybrid OTP flows.

Popularity trends

Recorded values over time (once-a-day snapshots). May 7, 2026 – Jun 5, 2026

GitHub · stars

GitHub · forks

GitHub · watchers

Packagist · monthly downloads

View on GitHub

Stars

177

Favorites

177

Forks

Score

26.2

Score breakdown

Sum of components, capped 0–100. Halved if archived.

Stars

input: 177

+0.9
Forks

input: 26

+0.8
Open issues + PRs

input: 0

+0.0
Releases

input: 18

+5.4
Recency

input: 25

+18.6
Issue opportunity

input: 0

+0.0
Laravel News mentions

input: 0

+0.0
Dependents

input: 0

+0.0

Total 25.7

Opportunity

41.4

Opportunity score breakdown

Hidden gem signal × 0.65 + contribution need × 0.35, scaled by health factor.

Hidden gem

log(monthly_downloads / (stars + 1)) × 25

64.0
Contribution need

open_issues + open_prs: 0

0.0
Health factor

archived + recency + open issues

×0.99

Total 41.2

License

MIT

Last release

May 11, 2026

Watchers

Downloads

64K/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

hexters/coinpayment

rjcodes/rjcms

act-training/laravel-permissions-manager

alimarchal/laravel-chart-of-accounts

babenkoivan/elastic-scout-driver

mkwebdesign/filament-watchdog-v5

renatomarinho/laravel-page-speed

zedmagdy/filament-business-hours

renatovdemoura/blade-elements-ui

devgeek/beacon-admin

benjamin-rqt/data-watcher-bundle

atriumphp/atrium

sandermuller/package-boost-laravel

sandermuller/boost-skills

redaxo/core

yusufgenc/filament-api-forge

l3aro/rating-star-for-filament

leek/filament-subtenant-scope

anil/file-picker

broqit/fields-ai