What is token and how to use it?

An Authentication Token is a unique identifier that allows users to prevent fraudulent behavior and Limit the number of unnecessary OTP requests. 

  • This provides you with the ability to set a throttle limit.
  • Throttling can be used to protect your system from unnecessary OTP requests by setting a limit on the number of requests that are allowed to submit in a given amount of time. 
  • You can set this limit using a token system, which will allow you to specify the throttling limit for each token. To set the throttling limit, you first need to create a token. This can be done by following these steps:

Step 1 - Select the OTP section from the dashboard.

Step 2 - Select the Token option from the sidebar and click on Generate New Token.

Step 3 - Enter the token name in the pop-up appearing on your screen. Once done, your token will be generated.

Step 4 - Click on the Settings (⛭) icon corresponding to any token & you can apply Additional Settings to it.

  • To set the Throttle Limit for your token, simply enter the limit you require.

Throttle limit is used to define how many times a user can request for OTPs via API in a specific time duration. Throttle limit can be defined as number of hits per 300 seconds. 

For example- We have set a restriction of 3 OTP requests per 10 seconds for a specific user in the settings below. If the limit is surpassed, the user's IP address will be blocked for 60 seconds.

Step 5 - In the tab next to Additional Settings (IPs), you will find the list of IP addresses for which the hits are coming from the OTP Widget

  • Here, you will find the different statuses of the IPs & can take the required action on them (like manually whitelisting & permanently blocking).

Normal- You will see this status if the users have requested OTPs within the specified throttle limit.

Temporary Block- When the number of OTP requests from a user exceeds the throttle limit, this status will appear, and the user will be blocked for a specified duration. The user's block will be lifted automatically after that duration.

Permanent Block- In case you identify any IP address as spam, you have the option to permanently block it.

Whitelisted- You can add genuine IP addresses to the whitelist to prevent them from being blocked in the future.

  • To manually add any IP, click on the plus (+) icon. Enter the IP address as per the required status/type.

Step 6 - In order to Enable/Disable any Token, you can click on the Vertical dots (⠇) from the Actions.

Please take note of the following:-

→ It is not advisable to use a Token in the OTP API since it will lead to your Server IP getting blocked (once the Throttle Limit is surpassed), instead of the User IP.

→ However, if you still want to use it, you can pass the token value in the request's additional parameter "tokenAuth" or in the headers as "token".

-> You do not need to use both Token and Authkey in the OTP API, as the Auth Token already supports it.

-> It is highly recommended to use tokens with OTP Widgets only as this will help you to prevent BOT ATTACKS and this will block your end-user IP.

For instructions on integrating Tokens with OTP Widgets, please refer to this guide: https://msg91.com/help/MSG91/how-to-integrate-the-new-login-with-otp-widget