OTPBase

Let an AI agent read codes

An agent that's automating a signup or login stalls the instant it hits a verification-code wall. There's no inbox it can read, so it gives up or waits for you. OTPBase closes that gap: hand the agent a read-only token and one instruction, and it can fetch the code itself.

The problem

Most agent runs die at the same step. The agent fills the form, submits, and the service replies "we sent a code to your phone." The agent has no way to see that code, so the whole task halts on a human.

The fix

Give the agent two things:

  1. A read-only otpb_ token (create one at Settings → API, /settings/api).
  2. One sentence telling it where to read the code.

That's enough for any agent that can make an HTTP request.

The instruction line

Drop this into a system prompt, .cursorrules, or an agent's tool description verbatim:

When you need a verification code, GET https://otpbase.com/api/v1/codes/latest?service=<name> with header Authorization: Bearer <token>, and read the code field.

Swap <name> for the service the code is for (e.g. GitHub) and <token> for the agent's read token.

In .cursorrules or a system prompt

You can retrieve verification / 2FA codes when a flow requires one.

To get the latest code:
  GET https://otpbase.com/api/v1/codes/latest?service=<service-name>
  Header: Authorization: Bearer otpb_REPLACE_WITH_TOKEN

The response is JSON; use the value of the "code" field.
If you get 404 {"error":"no_active_code"}, the code hasn't arrived yet —
wait a few seconds and try again. Never log or echo the token.

In CI (GitHub Actions)

Store the token as a repository or environment secret (e.g. OTPBASE_TOKEN), then read the code with curl and pull out .code with jq:

- name: Fetch verification code
  id: otp
  env:
    OTPBASE_TOKEN: ${{ secrets.OTPBASE_TOKEN }}
  run: |
    code=$(curl -s "https://otpbase.com/api/v1/codes/latest?service=GitHub" \
      -H "Authorization: Bearer ${OTPBASE_TOKEN}" | jq -r '.code')
    echo "::add-mask::$code"
    echo "code=$code" >> "$GITHUB_OUTPUT"

If latest can return 404 before the code lands, wrap the curl in a short retry loop and only treat a non-empty .code as success.

Safety

The design keeps the blast radius small, but good hygiene still matters.

  • Read-only scope. An otpb_ token can only read codes — it can never send, delete, or change anything on your account.
  • One token per agent. Issue a separate token for each agent or job so you can trace and revoke them independently. You can hold up to 10.
  • Revoke instantly. If an agent misbehaves or a token leaks, kill it at /settings/api; revocation is immediate.
  • Time-boxed exposure. Codes are hidden after 15 minutes and physically deleted within an hour, so a leaked token can never reach back to old codes.
  • Don't print it. Mask the token (and the code) in logs; never commit it to a repo.

For the full endpoint reference — parameters, the list endpoint, response shapes — see "API quickstart."

هل أجاب هذا عن سؤالك؟ مراسلة الدعم