spatie / laravel-one-time-passwords by spatie

Use one-time passwords (OTP) to authenticate in your Laravel app
3,092
111
1
laravel spatie laravel-one-time-passwords
Github Link
Packagist Link
Package Data
Maintainer Username: spatie
Maintainer Contact: freek@spatie.be (Freek Van der Herten)
Package Create Date: 2025-04-10
Package Last Update: 2025-06-16
Home Page: https://spatie.be/docs/laravel-one-time-passwords
Language: PHP
License: MIT
Last Refreshed: 2025-06-25 15:00:05
Package Statistics
Total Downloads: 3,092
Monthly Downloads: 2,995
Daily Downloads: 132
Total Stars: 111
Total Watchers: 1
Total Forks: 12
Total Open Issues: 1

Latest Version on Packagist GitHub Tests Action Status GitHub Code Style Action Status Total Downloads

Using this package, you can securely create and consume one-time passwords. By default, a one-time password is a number of six digits long that will be sent via a mail notification. This notification can be extended so it can be sent via other channels, like SMS.

The package ships with a Livewire component to allow users to login using a one-time password.

image

image

Alternatively, you can to build the one-time password login flow you want with the easy-to-use methods the package provides.

Here's how you would send a one-time password to a user

// send a mail containing a one-time password

$user->sendOneTimePassword();

This is what the notification mail looks like:

image

Here's how you would try to log in a user using a one-time password.

use Spatie\OneTimePasswords\Enums\ConsumeOneTimePasswordResult;

$result = $user->attemptLoginUsingOneTimePassword($oneTimePassword);

if ($result->isOk()) {
     // it is best practice to regenerate the session id after a login   
     $request->session()->regenerate();
              
     return redirect()->intended('dashboard');
}

return back()->withErrors([
    'one_time_password' => $result->validationMessage(),
])->onlyInput('one_time_password');

The package tries to make one-time passwords as secure as can be by:

  • letting them expire in a short timeframe (2 minutes by default)
  • only allowing to consume a one-time password on the same IP and user agent as it was generated

All behavior is implemented in action classes that can be modified to your liking.

Documentation

All documentation is available on our documentation site.

Support us

We invest a lot of resources into creating best in class open source packages. You can support us by buying one of our paid products.

We highly appreciate you sending us a postcard from your hometown, mentioning which of our package(s) you are using. You'll find our address on our contact page. We publish all received postcards on our virtual postcard wall.

Testing

composer test

Changelog

Please see CHANGELOG for more information on what has changed recently.

Contributing

Please see CONTRIBUTING for details.

Security Vulnerabilities

Please review our security policy on how to report security vulnerabilities.

Credits

License

The MIT License (MIT). Please see License File for more information.