How do I integrate one-time passwords into an existing Laravel authentication system?

The package provides a `HasOneTimePassword` trait for your User model and integrates with Laravel’s Auth facade. You can extend your existing `LoginController` or create a new one to handle OTP validation. The package emits events (`OneTimePasswordGenerated`, `OneTimePasswordUsed`) for custom logic, like logging or notifications.

What Laravel versions and PHP requirements does this package support?

The package is optimized for Laravel 10.x and 11.x and requires PHP 8.1 or higher. Check the `composer.json` constraints to avoid version conflicts with Laravel core or other Spatie packages like `laravel-permission`.

Can I customize the OTP token format (e.g., alphanumeric instead of numeric) or length?

Yes, you can extend the `OneTimePasswordGenerator` class to create custom token formats. The default is a 6-digit numeric token, but you can override the generator logic to support alphanumeric or longer tokens. Configuration is handled via the `config/otp.php` file.

How do I send OTPs via SMS or other channels besides email?

The package uses Laravel’s Notification system, so you can create a custom `OneTimePasswordDelivery` class to handle SMS (e.g., via Twilio) or other channels. The default email notification can be extended or replaced entirely. Ensure your delivery method supports secure transmission.

Is there built-in rate limiting to prevent brute-force attacks on OTPs?

No, the package does not include brute-force protection by default. You must integrate Laravel’s `throttle` middleware or a custom solution (e.g., `spatie/laravel-rate-limiting`) to restrict OTP attempts. Secure the transport layer (HTTPS) and consider IP-based throttling for API endpoints.

How do I test OTP flows in Laravel’s testing environment?

The package lacks built-in testing utilities, so you’ll need to mock the `OneTimePassword` model and generator. Use Laravel’s `fake()` method to simulate token generation and validation. Test edge cases like token expiration during submission manually or with custom assertions.

Can I use this package for API token authentication instead of user sessions?

Yes, the package works for API tokens by validating OTPs against a user or service account. Store the OTP in the database and validate it via the `OneTimePassword::validate()` method. Combine it with Laravel’s API token guards (e.g., Sanctum or Passport) for hybrid auth flows.

What happens if an OTP expires or is used before validation? How do I handle user feedback?

Expired or used tokens return a `false` result from `validate()`. Customize error messages in your controller (e.g., ‘Token expired’ vs. ‘Invalid token’) and redirect users to resend the OTP. The package does not include a resend feature; implement it via a custom route or Livewire action.

Are there performance considerations for high-volume OTP requests (e.g., 10K+ per hour)?

The default implementation stores tokens in the database, which may bottleneck under high load. For scaling, offload token storage to Redis or cache the `OneTimePassword` model. Use queue workers for delivery (e.g., SMS/email) to avoid blocking requests.

What alternatives exist for OTP in Laravel, and when should I choose this package?

Alternatives include `laravel-2fa` (for MFA) or custom implementations using `spatie/laravel-activitylog` for auditing. Choose this package if you need lightweight, Laravel-native OTPs for temporary access, API tokens, or MFA without OAuth2 complexity. It’s ideal for projects already using Spatie’s ecosystem.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Laravel One Time Passwords Laravel Package

spatie/laravel-one-time-passwords

Securely generate and consume one-time passwords in Laravel. Ships with notifications (email by default, extensible to SMS/other channels) and a ready-to-use Livewire login component. Optionally enhances the OTP input UI automatically when Flux is installed.

View on GitHub

Deep Wiki

Context7

Use one time passwords (OTP) to authenticate in your Laravel app

Frequently asked questions about Laravel One Time Passwords

How do I integrate one-time passwords into an existing Laravel authentication system?: The package provides a `HasOneTimePassword` trait for your User model and integrates with Laravel’s Auth facade. You can extend your existing `LoginController` or create a new one to handle OTP validation. The package emits events (`OneTimePasswordGenerated`, `OneTimePasswordUsed`) for custom logic, like logging or notifications.
What Laravel versions and PHP requirements does this package support?: The package is optimized for Laravel 10.x and 11.x and requires PHP 8.1 or higher. Check the `composer.json` constraints to avoid version conflicts with Laravel core or other Spatie packages like `laravel-permission`.
Can I customize the OTP token format (e.g., alphanumeric instead of numeric) or length?: Yes, you can extend the `OneTimePasswordGenerator` class to create custom token formats. The default is a 6-digit numeric token, but you can override the generator logic to support alphanumeric or longer tokens. Configuration is handled via the `config/otp.php` file.
How do I send OTPs via SMS or other channels besides email?: The package uses Laravel’s Notification system, so you can create a custom `OneTimePasswordDelivery` class to handle SMS (e.g., via Twilio) or other channels. The default email notification can be extended or replaced entirely. Ensure your delivery method supports secure transmission.
Is there built-in rate limiting to prevent brute-force attacks on OTPs?: No, the package does not include brute-force protection by default. You must integrate Laravel’s `throttle` middleware or a custom solution (e.g., `spatie/laravel-rate-limiting`) to restrict OTP attempts. Secure the transport layer (HTTPS) and consider IP-based throttling for API endpoints.
How do I test OTP flows in Laravel’s testing environment?: The package lacks built-in testing utilities, so you’ll need to mock the `OneTimePassword` model and generator. Use Laravel’s `fake()` method to simulate token generation and validation. Test edge cases like token expiration during submission manually or with custom assertions.
Can I use this package for API token authentication instead of user sessions?: Yes, the package works for API tokens by validating OTPs against a user or service account. Store the OTP in the database and validate it via the `OneTimePassword::validate()` method. Combine it with Laravel’s API token guards (e.g., Sanctum or Passport) for hybrid auth flows.
What happens if an OTP expires or is used before validation? How do I handle user feedback?: Expired or used tokens return a `false` result from `validate()`. Customize error messages in your controller (e.g., ‘Token expired’ vs. ‘Invalid token’) and redirect users to resend the OTP. The package does not include a resend feature; implement it via a custom route or Livewire action.
Are there performance considerations for high-volume OTP requests (e.g., 10K+ per hour)?: The default implementation stores tokens in the database, which may bottleneck under high load. For scaling, offload token storage to Redis or cache the `OneTimePassword` model. Use queue workers for delivery (e.g., SMS/email) to avoid blocking requests.
What alternatives exist for OTP in Laravel, and when should I choose this package?: Alternatives include `laravel-2fa` (for MFA) or custom implementations using `spatie/laravel-activitylog` for auditing. Choose this package if you need lightweight, Laravel-native OTPs for temporary access, API tokens, or MFA without OAuth2 complexity. It’s ideal for projects already using Spatie’s ecosystem.

View on GitHub

Stars

170

Favorites

170

Forks

Score

26.6

License

MIT

Last release

Apr 8, 2026

Watchers

Downloads

47K/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

davejamesmiller/laravel-breadcrumbs

artisanry/parsedown

christhompsontldr/phpsdk

enqueue/dsn

bunny/bunny

enqueue/test

enqueue/null

enqueue/amqp-tools

milesj/emojibase

bower-asset/punycode

bower-asset/inputmask

bower-asset/jquery

bower-asset/yii2-pjax

laravel/nova

spatie/laravel-mailcoach

spatie/laravel-superseeder

laravel/liferaft

nst/json-test-suite

danielmiessler/sec-lists

jackalope/jackalope-transport