Skip to main content
Request an OTP by calling the OTP request endpoint with a developer app key and a phone number in E.164 format. Required fields are the phone number and developer app id; optional fields include sender id, OTP length, minutes to expire, delivery method (“sms” or “call”) and a message template that includes the placeholder. Prefer “call” in regions where SMS delivery is unreliable. Example request: 
curl -X POST https://karibu.briq.tz/v1/otp/request/ \
  -H "Content-Type: application/json" \
  -H "X-API-Key: your_api_key_here" \
  -d '{
    "phone_number": "+255712345678",
    "developer_app_id": "dev_app_abc123xyz789",
    "otp_length": 6,
    "minutes_to_expire": 10,
    "delivery_method": "sms",
    "message_template": "Your verification code is {code}"
  }'
Request / Resend payload example (fields commonly used together): 
{
  "phone_number": "+255672204508",
  "app_key": "briq_65q2g35t7ty6q1sb",
  "sender_id": "BRIQ",
  "otp_length": 6,
  "minutes_to_expire": 10,
  "delivery_method": "sms"
}
A successful response includes an otp_id, recipient, sent and expiry timestamps. On failure the API returns an error describing the issue. Before sending, validate phone format, keep developer_app_id confidential, apply rate limits per recipient and log attempts for monitoring.

Request Parameters

ParameterTypeRequiredDescription
phone_numberstringYesPhone number in international format (e.g., 255712345678)
developer_app_idstringYesID of the developer app for OTP access

Response Format

Successful Request: 
{
  "success": true,
  "message": "OTP Code sent successfully.",
  "data": {
    "expires_at": "2025-08-23T00:37:03.502607"
  },
  "status_code": 200
}
Failed Request: 
{
  "success": false,
  "error": "Developer app not found or not linked to workspace with developer access"
}

Best Practices

Phone Number Format

  • Always use international format without spaces or special characters
  • Include country code (e.g., 255 for Tanzania)
  • Example: 255712345678 (not +255 71 234 5678)

Error Handling

  • Check the success field in the response
  • Handle developer app authentication errors
  • Implement retry logic for network failures
  • Log OTP request attempts for monitoring

Security Considerations

  • Store otp_id securely for verification step
  • Don’t expose OTP IDs in logs or client-side code
  • Implement rate limiting on your application side
  • Validate phone numbers before making requests
I