Email OTP

In preview

Verify by email, on a real email network.

Get startedRead docs
Set up in:
Cursor

Email verification sends a one-time code to an email address — no phone number required, and the channel reaches anyone with an inbox. Bird sends it on the same infrastructure that carries transactional email at scale, from a shared sender or your own verified domain, and checks it by recipient.

verify.ts
200 · pending
import { BirdClient } from "@messagebird/sdk";

const bird = new BirdClient({ apiKey: process.env.BIRD_API_KEY! });

// Send the code, then check it by recipient.
await bird.verify.verifications.create({
  to: { email_address: "ada@example.com" },
}).safe();

const { data } = await bird.verify.verifications.check({
  to:   { email_address: "ada@example.com" },
  code: userInput,
}).safe();

The verification channel that needs no phone number.

Email is a first-class channel on the Bird Verify API: post a verification with an email address and we send the code from the shared Authifly sender, otp@verify.authifly.com, or your own verified domain. It's country-independent, so it works the same everywhere, and it rides the same network Bird runs for transactional email at scale.

What you get on an email verification.

Built in, on every send.

  1. 01

    Addressed by email.

    Pass a single email address. No phone number, no country — email is the one channel that reaches anyone with an inbox.

  2. 02

    Shared or your own domain.

    Send from the shared Authifly sender (otp@verify.authifly.com) out of the box, or override to a domain you've already verified for sending.

  3. 03

    A ready-made OTP email.

    The code lands in a clean, mobile-ready default template: the code up front, an expiry note, and a reminder never to share it. Nothing to design before you ship.

  4. 04

    On the Bird email network.

    Your codes ride the same delivery infrastructure as your product's transactional email: signed, routed, and monitored.

  5. 05

    Server-generated, hashed codes.

    A 6-digit code by default (4–10 configurable), generated with a cryptographic random source and stored only as an HMAC.

  6. 06

    Check by recipient.

    Confirm the code by the email address it went to — no verification id to keep, and re-posting the create resends within the session.

Send to an address, check by the same address.

An email verification is the same two calls as any other channel — only the recipient shape changes from a phone number to an email address.

email-otp.ts
200
await bird.verify.verifications.create({
  to: { email_address: "ada@example.com" },
}).safe();

const { data } = await bird.verify.verifications.check({
  to:   { email_address: "ada@example.com" },
  code: userInput,
}).safe();

// data.result is true or false; data.reason elaborates ("expired", "already_verified", …)

Email OTP FAQ

When should I verify by email instead of SMS?+
Email needs no phone number and reaches anyone with an inbox, which makes it a strong default for signup and account-recovery flows and a natural fallback when you don't have a verified phone number. Many products offer both and let the user choose.
Can I send from my own domain?+
Yes. Codes go from the shared Authifly sender (otp@verify.authifly.com) by default, and you can override to a domain you've already verified for sending with Bird, so the code arrives from your brand.
Do you check the suppression list before sending an OTP?+
OTP email is transactional system mail, so it isn't gated on the marketing suppression list. Delivery is handled asynchronously by the email pipeline, the same as any transactional send.
How are the codes stored?+
Codes are generated with a cryptographic random source and stored only as an HMAC-SHA256 hash, compared in constant time. The plaintext is never returned or logged.
Who do my users see the code from?+
Authifly, Bird's verification brand. It's the identity on every code your users receive: email arrives from otp@verify.authifly.com or your own verified domain, and SMS and WhatsApp are Authifly-branded. authifly.com is a public page that reassures recipients Authifly sends legitimate one-time codes on a business's behalf. Bird is the platform you build on; Authifly is what the recipient sees.

The rest of the Verify platform

One API, one set of keys. Explore the other capabilities.

SMS OTPOne-time passcodes over SMS, with global reach and built-in rate limits.WhatsApp OTPCodes on WhatsApp as an orderable channel in the same plan.Voice OTPRolling out: a spoken code for landlines and hard-to-reach users.Channel orchestrationPer-country channel order and senders as a first-class config resource.Anti-abuse & code securityHashed codes, per-recipient caps, attempt lockout, and the fraud roadmap.Verify API overviewThe full Verify API: create-or-retry, check by target, and per-country config.

Your verification codes on the network that runs your email.

Email is one channel of Bird Verify: SMS and WhatsApp ship with it, and voice is rolling out — all on the same two endpoints.

Explore the Verify platformGet started

Start with one channel.
Add the others when you're ready.

A test API key is yours immediately. Production unlocks when you add a payment method and verify a sender.

Get startedRead docs

Using Claude Code, Cursor, or Codex? Copy a setup prompt and your agent installs the Bird CLI and skills for you. Pick yours:

Cursor