spatie/laravel-one-time-passwords

Use one-time passwords (OTP) to authenticate in your Laravel app

Maintainers

Details

github.com/spatie/laravel-one-time-passwords

Homepage

Source

Issues

Fund package maintenance!
Spatie

Installs: 16

Dependents: 0

Suggesters: 0

Security: 0

Stars: 37

Watchers: 3

Forks: 4

Open Issues: 0

1.0.0 2025-05-20 14:51 UTC

Requires

Requires (Dev)

MIT 49f116b3c71190e34dd175ca3cb8aea69ffcddf7

  • Freek Van der Herten <freek.woop@spatie.be>

laravelspatielaravel-one-time-passwords

This package is auto-updated.

Last update: 2025-05-20 14:56:40 UTC

README

Logo for laravel-permission

One-time passwords (OTP) for Laravel apps

Latest Version on Packagist GitHub Tests Action Status GitHub Code Style Action Status Total Downloads

Using this package, you can securely create and consume one-time passwords. By default, a one-time password is a number of six digits long that will be sent via a mail notification. This notification can be extended so it can be sent via other channels, like SMS.

The package ships with a Livewire component to allow users to login using a one-time password.

image

image

Alternatively, you can to build the one-time password login flow you want with the easy-to-use methods the package provides.

Here's how you would send a one-time password to a user

// send a mail containing a one-time password

$user->sendOneTimePassword();

This is what the notification mail looks like:

image

Here's how you would try to log in a user using a one-time password.

use Spatie\OneTimePasswords\Enums\ConsumeOneTimePasswordResult;

$result = $user->attemptLoginUsingOneTimePassword($oneTimePassword);

if ($result->isOk()) {
     // it is best practice to regenerate the session id after a login   
     $request->session()->regenerate();
              
     return redirect()->intended('dashboard');
}

return back()->withErrors([
    'one_time_password' => $result->validationMessage(),
])->onlyInput('one_time_password');

The package tries to make one-time passwords as secure as can be by:

  • letting them expire in a short timeframe (2 minutes by default)
  • only allowing to consume a one-time password on the same IP and user agent as it was generated

All behavior is implemented in action classes that can be modified to your liking.

Documentation

All documentation is available on our documentation site.

Support us

We invest a lot of resources into creating best in class open source packages. You can support us by buying one of our paid products.

We highly appreciate you sending us a postcard from your hometown, mentioning which of our package(s) you are using. You'll find our address on our contact page. We publish all received postcards on our virtual postcard wall.

Testing

composer test

Changelog

Please see CHANGELOG for more information on what has changed recently.

Contributing

Please see CONTRIBUTING for details.

Security Vulnerabilities

Please review our security policy on how to report security vulnerabilities.

Credits

License

The MIT License (MIT). Please see License File for more information.