v1 API live / AES-256-GCM / 1h to disk / 0 telemetry / polling-only

→ /api/v1/codes

// activity

14:23:08 GitHub received
14:21:44 Stripe burned
14:20:16 Coinbase received
14:18:55 Resend received
14:15:09 GitHub expired
14:13:33 Apple ID received
14:11:08 Stripe received
14:09:02 支付宝 received
14:06:51 Coinbase burned
14:04:26 Cursor received
14:02:18 微信 received
14:00:01 Apple ID expired
14:23:08 GitHub received
14:21:44 Stripe burned
14:20:16 Coinbase received
14:18:55 Resend received
14:15:09 GitHub expired
14:13:33 Apple ID received
14:11:08 Stripe received
14:09:02 支付宝 received
14:06:51 Coinbase burned
14:04:26 Cursor received
14:02:18 微信 received
14:00:01 Apple ID expired

For humans, scripts, and AI agents

OTPs as an API. Stop typing 2FA codes.

Wire up your inboxes, your phone, or your TOTP apps. Read the latest verification code from anywhere — a curl, a CI job, an AI agent that needs to finish a login. Auto-deletes in an hour.

Get a token — free 6 months Pair phone

15min

Visible

1hr

To disk

0trk

Telemetry

Plug into your AI agent — paste one line, give it a token, done.

prompt

When you need a verification code, fetch GET https://otpbase.com/api/v1/codes/latest?service=<name> with header Authorization: Bearer <my-token>

~/agent live

$ curl -H "Authorization: Bearer otpb_..." \
   https://otpbase.com/api/v1/codes/latest?service=GitHub

{
  "code": "482913",
  "service": "GitHub",
  "received_at": "2026-05-05T10:21:07Z",
  "seconds_remaining": 838
}

otpbase.com/codes

GitHub · iPhone

482913

14m

Stripe · gmail 🔥

907412

28s

支付宝 · iPhone

736251

3m

.cursorrules

When 2FA is required, GET /api/v1/codes/latest with my OTPBase token.

🔥 burned · 0s ago

Drops in beside GitHub Stripe Coinbase Resend Cursor GitHub Actions Apple ID 支付宝微信

Get codes flowing

Pair your phone in 60 seconds

Forward incoming SMS straight into OTPBase. iPhone runs an Apple Shortcut. Android uses a free SMS-forwarder app. Tap a step to see what happens on screen.

auto-cycling paused — click any step

9:41 5G100%

OTPBase Forward

Apple Shortcut · 1 action

When triggered, sends the SMS body and sender to your OTPBase account over HTTPS.

otpbase.com / devices / pair

Pairing code

382 941

Expires in 4:58

Paste this into the shortcut. We bind it to a long-lived device token.

otpb_a3f9c…

New Personal Automation

When I receive Message

Sender: Any · Contains digits

Run OTPBase Forward

Ask Before Running: Off

9:41

Sunday, May 5

OTPBASEnow

Code received

GitHub · 482913 · 14m left

▲ ingested via /api/v1/ingest/mobile

Google Play

SMS Forwarder

★ 4.6 · 1M+ installs

Webhooks · Filters · Free

Tasker, MacroDroid and AutoNotification work too.

Webhook

URL

https://otpbase.com/api/v1/ingest/mobile

Method

POST

Header

Authorization: Bearer otpb_…

Filters

OTP only (regex)

/(\d{4,8})\b/

Skip banking SMS

招行 · 工行 · 建行 …

Sender allowlist

Notifications

SFSMS Forwardernow

Forwarded to otpbase.com

200 OK · 142ms

OTPBasenow

Code received

GitHub · 482913 · 14m left

Paired

You can also pair via email IMAP, or push from your own scripts. See the API.

A small tool that respects your attention.

Built for one person — you. No teams, no SSO, no dashboards full of empty graphs.

Pulls from everywhere

IMAP mailboxes, iOS Shortcuts forwarding SMS, and self-hosted TOTP all flow into one timeline.

Encrypted by default

Server-side AES-256-GCM at rest. Turn on the optional view-password and your codes never leave the browser as plaintext.

Auto-deletes itself

Codes hide from the live view in 15 minutes. The row is physically wiped from disk in 1 hour. Both windows can be tightened — even down to burn-after-reading.

Data lifecycle

15 minutes to view. 1 hour to disappear.

A code is visible for 15 minutes — long enough to use, short enough to be irrelevant if your screen is glanced at. Within an hour the row is physically deleted from the database. No backup retains it past that point. Both windows are tunable per account.

1

Arrives

Encrypted at rest before the row is committed.

2

Visible · 15 min

Surfaced in /codes and via the API.

3

Hidden

Out of every view, queued for deletion.

4

Wiped · 1 hour

Row gone from disk. No backup keeps it.

🔥

Optional: burn after reading

Tap the code to copy it — and it dissolves 30 seconds later. Useful when sharing a screen.

Security, plainly stated

Transient by design. Encrypted at rest. Physically deleted on a clock.

OTPBase is a relay, not a vault. A code passes through, lives long enough for you to use it, and is then erased — first from view, then from disk. There is no archive, no analytics warehouse, no shadow copy on a backup tape.

Every secret on disk is wrapped in AES-256-GCM with a key that lives only in our environment. Turn on the optional view password and even we cannot read the codes — only the browser session that holds your derived key can.

AES-256-GCM

encryption at rest

15 min

visible window

1 hour

physical deletion

0 telemetry

no analytics, ever

Read the architecture doc

Programmable

A REST API your agents can talk to.

Issue a personal access token from settings, then read codes from anywhere — CI bots, AI agents, your laptop. Read-only by design. The same 1-hour deletion applies.

See the API reference

$ curl

$ curl -H "Authorization: Bearer otpb_..." \
   https://otpbase.com/api/v1/codes/latest?service=GitHub

{
  "code": "482913",
  "service": "GitHub",
  "received_at": "2026-05-05T10:21:07Z",
  "seconds_remaining": 838
}

Pricing

Priced like the small tool it is.

$1 / month

Best value

$8 / year

$20 / three years

6-month free trial · cancel any time · no card needed to start

Get a token — free 6 months