What is token and how to use it?

An Authentication Token is a unique identifier that allows users to prevent fraudulent behavior and Limit the number of unnecessary OTP requests. 

Step 1 - Select the OTP section from the dashboard.

Step 2 - Select the Token option from the sidebar and click on Generate New Token.

Step 3 - Enter the token name in the pop-up appearing on your screen. Once done, your token will be generated.

Step 4 - Click on the Settings (⛭) icon corresponding to any token & you can apply Additional Settings to it.

Throttle limit is used to define how many times a user can request for OTPs via API in a specific time duration. Throttle limit can be defined as number of hits per 300 seconds. 

For example- We have set a restriction of 3 OTP requests per 10 seconds for a specific user in the settings below. If the limit is surpassed, the user's IP address will be blocked for 60 seconds.

Step 5 - In the tab next to Additional Settings (IPs), you will find the list of IP addresses for which the hits are coming from the OTP Widget

Normal- You will see this status if the users have requested OTPs within the specified throttle limit.

Temporary Block- When the number of OTP requests from a user exceeds the throttle limit, this status will appear, and the user will be blocked for a specified duration. The user's block will be lifted automatically after that duration.

Permanent Block- In case you identify any IP address as spam, you have the option to permanently block it.

Whitelisted- You can add genuine IP addresses to the whitelist to prevent them from being blocked in the future.

Step 6 - In order to Enable/Disable any Token, you can click on the Vertical dots (⠇) from the Actions.

Please take note of the following:-

→ It is not advisable to use a Token in the OTP API since it will lead to your Server IP getting blocked (once the Throttle Limit is surpassed), instead of the User IP.

→ However, if you still want to use it, you can pass the token value in the request's additional parameter "tokenAuth" or in the headers as "token".

-> You do not need to use both Token and Authkey in the OTP API, as the Auth Token already supports it.

-> It is highly recommended to use tokens with OTP Widgets only as this will help you to prevent BOT ATTACKS and this will block your end-user IP.

For instructions on integrating Tokens with OTP Widgets, please refer to this guide: https://msg91.com/help/MSG91/how-to-integrate-the-new-login-with-otp-widget