Validate a one-time password
Validate an OTP received by the customer. The purpose field must match the purpose used when generating the OTP.
OTPs have a limited validity period (typically 5 minutes). Expired OTPs return error code Y101. Incorrect OTPs return error code Y103. After 3 failed attempts, the OTP is invalidated and a new one must be generated.
Authorization
BearerAuth TenantHeader JWT Bearer token obtained from the /auth/login endpoint
In: header
Tenant identifier provided by M2P (e.g. ENBDTABBY)
In: header
Request Body
application/json
Customer mobile number that the OTP was sent to
OTP entered by the customer
Purpose must match the value used in the generate OTP call
"SET_PIN" | "TRANSACTION" | "LOGIN" | "CARD_BLOCK"Response Body
application/json
application/json
curl -X POST "https://api.m2p.com/Yappay/otp-manager/validate" \ -H "Content-Type: application/json" \ -d '{ "mobile": "9876543210", "otp": "123456", "purpose": "SET_PIN" }'{
"status": "success",
"message": "OTP validated successfully"
}{
"result": null,
"exception": {
"detailMessage": "Invalid OTP",
"shortMessage": "Invalid OTP",
"errorCode": "Y103",
"languageCode": "en"
},
"pagination": null
}Generate a one-time password POST
Generate and send a one-time password (OTP) to a customer mobile number for verification of secure operations. The OTP is delivered via SMS to the registered mobile number. The purpose field defines what operation the OTP is for. Supported purposes include SET_PIN (for PIN setting), TRANSACTION (for high-value transactions), LOGIN (for authentication), and CARD_BLOCK (for card blocking confirmation). The kitNo is required for card-related operations (SET_PIN, CARD_BLOCK) to identify which card the OTP is associated with. OTPs have a limited validity period (typically 5 minutes) and a maximum of 3 validation attempts. Rate limited to prevent abuse.
Set or change the card PIN POST
Set or change the PIN for a customer card. The PIN never travels in cleartext. It must be encrypted using ISO 9564 Format 0 PIN block with AES encryption and then Base64 encoded before sending. All fields (entityId, pin, kitNo, expiryDate, dob) are explicitly validated by the backend. Missing any field returns a specific error code. PIN Block Creation Process - Step 1: Take the 4-digit clear PIN. Step 2: Create an ISO 9564 Format 0 PIN block by XOR-ing the plain text PIN field with the account number field (both are 16 four-bit nibbles / 64 bits). Step 3: Encrypt the PIN block using AES with the pre-shared key provided by M2P. Step 4: Base64 encode the encrypted result. Step 5: Send the encoded value in the pin field. Plain Text PIN Field Format - Nibble 1 is 0 (format identifier). Nibble 2 is N (PIN length, typically 4). Nibbles 3 to N+2 are the PIN digits. Nibbles N+3 to 16 are filled with F (hex). Example for PIN 1234: 0 4 1 2 3 4 F F F F F F F F F F Account Number Field Format - Nibbles 1-4 are 0000. Nibbles 5-16 are the rightmost 12 digits of the PAN (excluding check digit). Kit Number Padding - The kit number must be exactly 16 digits for PIN block generation. If shorter, prepend zeros. For example, a 9-digit kit 130005054 becomes 0000000130005054. The PIN can be changed by calling this API again with the new encrypted PIN. The DOB must match the specialDate from the original registration. The expiryDate must be in MMYY format.