All requests to the OTP Edge API must include a valid Secret Key in the Authorization header. We use standard Bearer Token authentication to ensure every dispatch is authorized and attributed to your workspace.
Include your key in the header as follows:
Authorization: Bearer sk_live_your_secret_key
Security Best Practices
The “Show Once” Model
OTP Edge implements a hardened security posture for API keys.
OTP Edge uses a “Show Once” security model. We store only the SHA-256 hash of your API keys at rest. We cannot recover a lost key for you. If a key is compromised or lost, you must revoke it immediately in the dashboard and generate a new one.
Environment Isolation
We recommend using different keys for development and production environments.
- Use Test Keys (
sk_test_...) to simulate OTP dispatches without hitting the Meta Cloud API or consuming your monthly quota. When using a Test Key, the API will return the generated OTP code directly in the JSON response so you can test your verification flow programmatically!
- Use Live Keys (
sk_live_...) only in your production backend environment.
Never Leak Secrets
Never include your Secret Key in client-side code (Frontend, Mobile Apps). OTP Edge is designed for server-side dispatch to prevent malicious actors from exhausting your quota. 
