Two-Factor Authentication

email OTP 2FA
for your app

Add two-factor authentication with two API calls. Send verification codes via email. No SMS costs, no Twilio, no complexity.

Get started Read docs

~/dev/my-app

# Step 1: Send a verification code

curl -X POST https://api.verifykit.io/v1/2fa/send \

-H "Authorization: Bearer vk_live_..." \

-d '{"email": "[email protected]", "app_name": "MyApp"}'

# Response: save the request_id

{ "request_id": "2fa_abc123...", "expires_in": 600 }

# Step 2: Verify the code the user enters

curl -X POST https://api.verifykit.io/v1/2fa/verify \

-H "Authorization: Bearer vk_live_..." \

-d '{"request_id": "2fa_abc123...", "code": "847293"}'

# Done!

{ "valid": true, "message": "Verification successful" }

How it works

Two API calls. That's all you need to add 2FA to your application.

Email OTP

Send 6-digit verification codes to any email address. Pass app_name to show your brand, or set delivery to "api" to use your own email service. No SMS costs.

Secure by default

Codes are SHA-256 hashed, single-use, and auto-expire after 10 minutes. Max 5 verification attempts.

Two API calls

Send a code with POST /v1/2fa/send, verify it with POST /v1/2fa/verify. That's it.

Rate limited

Built-in rate limiting: max 5 codes per email per 10-minute window. Protects against abuse automatically.

10-minute expiry

Codes automatically expire. No cleanup needed. Failed attempts are tracked and codes invalidate after 5 wrong tries.

Bring your own email

Set delivery to "api" to get the OTP code in the response. Send it with your own email service for full control over branding and delivery.

Official SDKs

Dedicated 2FA SDKs for Node.js and PHP. Install and go.

Node.js

@verifykit.io/2fa

import { VerifyKit2FA } from '@verifykit.io/2fa';

const client = new VerifyKit2FA({
  apiKey: process.env.VERIFYKIT_API_KEY!
});

// Send code via VerifyKit email
const { request_id } = await client.sendOtp(
  '[email protected]', { appName: 'MyApp' }
);

// Or get the code to send yourself
const { code } = await client.sendOtp(
  '[email protected]', { delivery: 'api' }
);

// Verify code
const result = await client.verifyOtp(
  request_id, '847293'
);
console.log(result.valid); // true

PHP

verifykit-io/2fa-php-sdk

use VerifyKit2FA\VerifyKit2FA;

$client = new VerifyKit2FA(
  apiKey: $_ENV['VERIFYKIT_API_KEY']
);

// Send code via VerifyKit email
$result = $client->sendOtp(
  '[email protected]', 'MyApp'
);

// Or get the code to send yourself
$result = $client->sendOtp(
  '[email protected]', delivery: 'api'
);
// $result->code = "847293"

// Verify code
$verification = $client->verifyOtp(
  $result->requestId, '847293'
);
echo $verification->valid; // true

Security built in

SHA-256

Codes hashed at rest

10 min

Auto-expiry TTL

5 max

Attempts per code

1 use

Single-use codes

2FA pricing

Add 2FA to your app today. Included in Growth plans and above — no per-code fees.

Growth

$19/mo

25,000 codes/month

Pro

$49/mo

50,000 codes/month

Unlimited

$249/mo

100,000 codes/month

Need more than 100k codes/month?

Let's talk. We'll work out a plan that fits your volume.

Get started

Ready to add 2FA?

Get your API key and start sending verification codes in minutes.

Get API key Read the docs

email OTP 2FAfor your app