HALLOFORM
/OTP verification

OTP verification

Make respondents verify their email or phone with a one-time code before they can submit — by email, SMS, or WhatsApp.

How it works#

An Email or Phone field can require a one-time code. The respondent enters their email/phone, taps Send code, receives a 6-digit code, and enters it. The form won't submit until that field is verified — and changing the value afterwards asks them to verify again.

The verification UI only appears on your live published form, not in the editor preview — so designing a form never sends real codes (or costs you anything).

Turn it on#

  1. Add an Email or Phone field to your form.
  2. Open its properties (click the field) and switch on "Require email verification (OTP)" (email) or "Require SMS verification (OTP)" (phone).
  3. For a phone field, pick a Code delivery option: Respondent chooses (default), SMS only, or WhatsApp only.

Delivery channels#

  • Email — the code is emailed. Uses your existing email setup; effectively free.
  • SMS — a text message via Twilio.
  • WhatsApp — a WhatsApp message via Twilio. Usually cheaper and higher-delivery than SMS in many regions (incl. SE Asia).
  • On a phone field set to "Respondent chooses", the form shows an SMS / WhatsApp switch so the respondent picks how to receive the code.

Setup (admin)#

Email verification works out of the box. SMS and WhatsApp need Twilio credentials set on the backend (Railway):

# SMS
TWILIO_ACCOUNT_SID=ACxxxxxxxx
TWILIO_AUTH_TOKEN=xxxxxxxx
TWILIO_FROM_NUMBER=+1xxxxxxxxxx        # SMS sender

# WhatsApp (optional)
TWILIO_WHATSAPP_FROM=+1xxxxxxxxxx       # WhatsApp sender
TWILIO_WHATSAPP_TEMPLATE_SID=HXxxxxxxxx # approved authentication template
WhatsApp needs an approved template
WhatsApp won't deliver business-initiated codes as free text — you need an approved "authentication" template (one variable for the code) and its Content SID in TWILIO_WHATSAPP_TEMPLATE_SID. Without it, WhatsApp sends only work inside the Twilio WhatsApp sandbox (fine for testing).

If a channel isn't configured, its Send request returns a clear "not configured" error and the respondent can switch to another channel.

Plans#

Email OTP is free on every plan. SMS and WhatsApp verification are a Business-plan feature, since each message has a real per-send cost on the form owner's account.

Security & limits#

  • Codes are 6 digits, expire after 10 minutes, and allow at most 5 attempts.
  • There's a 30-second cooldown between resends to limit spend and abuse.
  • Editing the email/phone after verifying clears the verification — they re-verify the new value.
On the roadmap
Today, verification gates the submit in the respondent's browser. Server-side enforcement on the submission endpoint (rejecting a submit whose value wasn't verified) is a planned follow-up.