One-Time Password (OTP) Verification

In Signbee, OTP verification is used when the sender does not have an API key. A 6-digit code is sent to their email, and they enter it to verify their identity before the signing link is sent to the recipient.

**How OTP verification works in e-signing**

1. The sender submits a document for signing (via the API or the web interface) 2. If the sender is not authenticated via API key, a 6-digit OTP is generated and sent to their email 3. The sender enters the OTP to prove they control the email address 4. Once verified, the signing link is sent to the recipient 5. The verification method ('email OTP') is recorded in the audit trail

**OTP vs API key authentication**

For automated workflows (CI/CD pipelines, SaaS integrations, AI agents), API key authentication is preferred — it's instant and doesn't require human interaction. OTP verification is designed for manual sending through the web interface, where the sender doesn't have an API key.

**Security considerations**

OTP codes are typically valid for a short window (5-15 minutes) and single-use. They prove email control at the time of signing but don't establish long-term identity. For higher assurance, consider API key authentication (which ties the sender to a registered account) or Qualified Electronic Signatures (QES) with identity verification through a Trust Service Provider.

**OTP in legal context**

For the purposes of the ESIGN Act and eIDAS, OTP verification satisfies the requirement to associate a signature with a specific person. The audit trail records the email address, the OTP verification timestamp, and the IP address — providing sufficient evidence that the person controlling that email address authorised the document.