How Agent OTP Works

Agent OTP acts as a secure relay between your verification codes and your AI agents. Here's how the system ensures security and user control.

The Problem

AI agents often need to complete tasks that require verification codes:

  • Signing up for services on behalf of users
  • Logging into accounts that require 2FA
  • Verifying identity for financial transactions
  • Confirming actions that require human verification

The naive solution - giving agents direct access to SMS or email - creates significant security risks:

  • Agents could read sensitive personal messages
  • Broad access is hard to audit or control
  • Compromised agents could abuse access
  • No separation between different OTP sources

The Solution: Secure OTP Relay

Agent OTP solves this by acting as a controlled intermediary. The agent never has direct access to your messages - instead, specific OTPs are securely relayed only when you approve.

Request Flow

1

Agent Requests OTP

The agent sends a request to Agent OTP, specifying why it needs the OTP, the expected sender (e.g., "GitHub"), and its public encryption key.

2

User Reviews and Approves

You receive a notification (mobile app, email, or web) showing what the agent is requesting. You can approve or deny the request.

3

OTP is Captured

When the OTP arrives (via SMS or email), Agent OTP captures it based on the filters you approved (sender, content pattern).

4

OTP is Encrypted

The OTP code is immediately encrypted using the agent's public key. Even Agent OTP servers cannot read the plaintext code.

5

Agent Consumes OTP

The agent retrieves and decrypts the OTP using its private key. The encrypted payload is immediately deleted from Agent OTP servers.

Security Principles

End-to-End Encryption

OTPs are encrypted on capture using the agent's public key. The relay service only ever sees encrypted data - it cannot read your verification codes. Only the agent with the corresponding private key can decrypt them.

User Approval Required

Every OTP request requires explicit user approval. You see exactly what the agent is requesting and why. You can deny requests you don't recognize or trust.

One-Time Read

Once an agent consumes an OTP, the encrypted payload is permanently deleted. There's no way to re-read the same OTP. This prevents data accumulation and limits exposure.

Scoped Capture

Each request specifies filters for what OTPs to capture. The agent only receives OTPs matching the approved criteria - not all your messages.

Full Audit Trail

Every request, approval, denial, and consumption is logged. You can review what OTPs agents have accessed and when.

Request Statuses

OTP requests progress through these states:

pending_approvalapprovedotp_receivedconsumed

Alternative terminal states:

  • denied - User denied the request
  • expired - Request timed out
  • cancelled - Agent cancelled the request

What Agent OTP Does NOT Do

  • Store your messages - Only encrypted OTP payloads are temporarily stored until consumed
  • Read your OTPs - End-to-end encryption means only your agent can decrypt the codes
  • Access without approval - Every request requires explicit user approval
  • Keep historical data - OTPs are deleted immediately after consumption

Next Steps