A production-ready One-Time Password (OTP) verification system using phone call bot technology. Users receive automated phone calls that ask for OTP codes, with entered digits appearing in real-time on a modern web dashboard.
- Automated call initiation via Twilio
- Natural voice prompts (Polly.Joanna)
- DTMF (touch-tone) digit collection
- Call retry logic with exponential backoff
- Multi-language support ready
- Live digit display as user enters code
- Call status monitoring
- Verification status tracking
- Modern, cyberpunk-inspired UI
- Fully responsive design
- End-to-end encrypted communications
- Rate limiting (Redis-based)
- OTP expiration (configurable)
- Webhook signature validation
- SQL injection prevention
- CSRF protection
- Comprehensive metrics dashboard
- Call success rates
- Verification analytics
- System health monitoring
- Structured JSON logging
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β β β β β β
β Frontend ββββββΆβ Backend ββββββΆβ Twilio β
β (React) β β (FastAPI) β β API β
β βββββββ βββββββ β
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β β β
β β β
β βββββββββ΄ββββββββ β
β β β β
βΌ βΌ βΌ βΌ
ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ
βWebSocket β βPostgreSQLβ β Redis β β Webhook β
βReal-time β β Database β β Cache β β Callback β
ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ
- Docker & Docker Compose
- Twilio Account (Sign up free)
- Node.js 18+ (for local development)
- Python 3.12+ (for local development)
# Clone the repository
git clone https://github.com/your-repo/otp-verification-system.git
cd otp-verification-system
# Copy environment template
cp env.example .env
# Edit .env with your settings
# IMPORTANT: Set your Twilio credentials- Get your credentials from Twilio Console
- Update
.env:TWILIO_ACCOUNT_SID=ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx TWILIO_AUTH_TOKEN=your-auth-token-here TWILIO_PHONE_NUMBER=+1234567890 TWILIO_WEBHOOK_BASE_URL=https://your-domain.com
# Build and start all services
docker-compose up -d
# View logs
docker-compose logs -f
# Access the dashboard
open http://localhost:3000# Backend
cd backend
pip install -r requirements.txt
uvicorn app.main:app --reload --port 8000
# Frontend (new terminal)
cd frontend
npm install
npm run devotp-verification-system/
βββ backend/
β βββ app/
β β βββ api/ # API endpoints
β β βββ core/ # Config, security, logging
β β βββ db/ # Database & Redis
β β βββ models/ # SQLAlchemy models
β β βββ schemas/ # Pydantic schemas
β β βββ services/ # Business logic
β β βββ main.py # Application entry
β βββ tests/ # Test suite
β βββ migrations/ # Database migrations
β βββ Dockerfile
β βββ requirements.txt
βββ frontend/
β βββ src/
β β βββ components/ # React components
β β βββ hooks/ # Custom hooks
β β βββ pages/ # Page components
β β βββ services/ # API service
β β βββ styles/ # CSS styles
β βββ Dockerfile
β βββ package.json
βββ nginx/ # Nginx configuration
βββ docker-compose.yml
βββ Makefile
βββ README.md
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/v1/otp/request |
Request OTP verification call |
| POST | /api/v1/otp/verify |
Verify OTP code |
| GET | /api/v1/otp/status/{session_id} |
Get verification status |
| DELETE | /api/v1/otp/cancel/{session_id} |
Cancel OTP session |
Connect to /ws/otp/{session_id} for real-time updates:
const ws = new WebSocket('ws://localhost:8000/ws/otp/SESSION_ID');
ws.onmessage = (event) => {
const data = JSON.parse(event.data);
switch(data.event) {
case 'digit_received':
console.log(`Digit ${data.data.digit} at position ${data.data.position}`);
break;
case 'verification_complete':
console.log('Verified!', data.data.success);
break;
}
};# Request OTP call
curl -X POST http://localhost:8000/api/v1/otp/request \
-H "Content-Type: application/json" \
-d '{"phone_number": "+14155551234"}'
# Response
{
"session_id": "abc123def456",
"status": "calling",
"message": "Initiating phone call...",
"expires_at": "2024-01-15T10:30:00Z",
"websocket_url": "ws://localhost:8000/ws/otp/abc123def456"
}- API Documentation: http://localhost:8000/docs (Swagger UI)
- ReDoc: http://localhost:8000/redoc
| Variable | Description | Default |
|---|---|---|
APP_ENV |
Environment (development/production) | development |
APP_SECRET_KEY |
Secret key for JWT | - |
DATABASE_URL |
PostgreSQL connection URL | - |
REDIS_URL |
Redis connection URL | - |
TWILIO_ACCOUNT_SID |
Twilio Account SID | - |
TWILIO_AUTH_TOKEN |
Twilio Auth Token | - |
TWILIO_PHONE_NUMBER |
Twilio phone number | - |
OTP_LENGTH |
Number of OTP digits | 6 |
OTP_EXPIRY_MINUTES |
OTP validity period | 10 |
OTP_MAX_ATTEMPTS |
Max verification attempts | 3 |
# Run backend tests
cd backend
pytest -v
# With coverage
pytest --cov=app --cov-report=html
# Run frontend tests
cd frontend
npm run test# Build for production
docker-compose -f docker-compose.yml build
# Start services
docker-compose up -d
# Scale backend
docker-compose up -d --scale backend=3- Set
APP_ENV=production - Use strong
APP_SECRET_KEY(32+ characters) - Configure proper
CORS_ORIGINS - Set up SSL/TLS certificates
- Configure Twilio webhook URL
/health- Comprehensive health check/health/live- Kubernetes liveness probe/health/ready- Kubernetes readiness probe
Access /api/v1/metrics/ for:
- Call success rate
- Verification success rate
- Active sessions
- Error rate
- Hourly statistics
- Never commit
.env- Use environment variables in production - Rotate secrets regularly - Update API keys and tokens
- Enable rate limiting - Prevent abuse
- Use HTTPS - Encrypt all traffic
- Validate webhooks - Verify Twilio signatures
- Monitor logs - Set up alerting for anomalies
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit changes (
git commit -m 'Add amazing feature') - Push to branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
- FastAPI - Modern Python web framework
- Twilio - Cloud communications platform
- React - UI library
- TailwindCSS - Utility-first CSS
Built with β€οΈ for secure verification