Learn how to build a secure OTP expiry system using Unix timestamps. Step-by-step backend guide with Node.js, MongoDB, and best practices.
Turn concepts into action with our free developer tools. Validate payloads, encode values, and test workflows directly in your browser.
Sumit
Full Stack MERN Developer
Building developer tools and SaaS products
Sumit is a Full Stack MERN Developer focused on building reliable developer tools and SaaS products. He designs practical features, writes maintainable code, and prioritizes performance, security, and clear user experience for everyday development workflows.
One-Time Passwords (OTPs) are widely used for authentication, verification, and security workflows. But building a secure OTP system is not just about generating codes—it’s also about managing expiration correctly.
In this guide, you’ll learn how to build a robust OTP expiry system using Unix timestamps. This approach ensures accuracy, prevents timezone bugs, and improves security.
To test timestamps while building your system, use this tool: https://www.mydevtoolhub.com/tools/unix-timestamp-converter
OTP systems must be secure and time-bound.
Without proper expiry:
Unix timestamps are ideal because:
The logic is simple:
if (currentTimestamp > expiryTimestamp) {
console.log("OTP Expired");
}
function generateOTP() {
return Math.floor(100000 + Math.random() * 900000);
}
const now = Math.floor(Date.now() / 1000);
const expiry = now + (5 * 60);
{
email: "user@example.com",
otp: 123456,
expiresAt: 1700000300
}
function verifyOTP(inputOTP, storedOTP, expiry) {
const now = Math.floor(Date.now() / 1000);
if (now > expiry) {
return "Expired";
}
if (inputOTP !== storedOTP) {
return "Invalid";
}
return "Valid";
}
db.otps.createIndex({ expiresAt: 1 }, { expireAfterSeconds: 0 });
This automatically deletes expired OTPs.
app.post('/send-otp', async (req, res) => {
const otp = generateOTP();
const now = Math.floor(Date.now() / 1000);
await db.collection('otps').insertOne({
email: req.body.email,
otp,
expiresAt: now + 300
});
res.json({ success: true });
});
app.post('/verify-otp', async (req, res) => {
const record = await db.collection('otps').findOne({ email: req.body.email });
if (!record) return res.json({ error: "Not found" });
const result = verifyOTP(req.body.otp, record.otp, record.expiresAt);
res.json({ result });
});
Keep OTP expiry between 2–10 minutes.
Prevent brute force attacks.
Store hashed OTP instead of plain text.
Limit OTP generation requests.
Always use UTC timestamps.
Leads to security risks.
// Correct
Math.floor(Date.now() / 1000)
If OTP expires incorrectly:
Use this tool:
https://www.mydevtoolhub.com/tools/unix-timestamp-converter
Combine OTP with additional security layers.
Send OTP via third-party services.
Notify users when OTP expires.
Using Unix timestamps:
Typically 2–5 minutes.
No, it should expire after use.
Yes, for backend logic.
Yes, using TTL indexes.
Building a secure OTP system requires careful handling of time. Unix timestamps provide a reliable, scalable, and bug-free way to manage OTP expiry.
By following this guide, you can build a production-ready OTP system that is both secure and efficient.
For quick timestamp conversions and debugging, use:
https://www.mydevtoolhub.com/tools/unix-timestamp-converter
Start implementing secure OTP workflows in your applications today.
Learn how to build a scalable form builder SaaS using Google Sheets and MongoDB. A complete developer-focused guide with real examples.
Automate AI content to PDF conversion using Zapier and webhooks. Build powerful no-code workflows for reports, emails, and documents.
Discover how to use a free AI Content to PDF converter to turn text into professional documents instantly. Perfect for students, bloggers, and developers.