Udyam OTP Async - Send OTP

Endpoint Overview

POST /api/v1/udyam-otp/async/send-otp

Description

The Udyam OTP Async Send OTP API initiates an asynchronous One-Time Password (OTP) delivery to a registered Udyam entity's mobile number or email address. This endpoint is designed for businesses and developers who need to verify Udyam registration details as part of their KYC (Know Your Customer) or onboarding workflows.

By providing the Udyam registration number along with a mobile or email contact, the API triggers an OTP dispatch and returns a client_id that can be used to track the verification status asynchronously — either via polling or through a webhook callback, making it ideal for high-throughput and non-blocking verification flows.

Key Benefits

Asynchronous Processing: Non-blocking OTP dispatch with webhook support means your application doesn't need to wait for the OTP delivery to complete before moving on.

Flexible Delivery Channels: Supports OTP delivery via mobile number (default) or email address, giving users flexibility based on their registered contact.

Webhook Integration: Receive real-time status updates via a configurable webhook URL, reducing the need for repeated polling.

Udyam Ecosystem Compliance: Directly integrates with India's official MSME Udyam registration database, ensuring regulatory alignment for KYC and onboarding processes.

Use Cases

Fintech & Lending

Government & Compliance

B2B Marketplaces

Verify MSME borrowers' Udyam registration during loan application onboarding to confirm business legitimacy.

Automate KYC workflows for credit underwriting by validating Udyam registration numbers with OTP-based consent.

Technical Implementation

Authentication

All API requests require authentication using a JWT Bearer token. Authentication follows these steps:

Obtain API Credentials: Register with Surepass to receive your API key.

Generate JWT Token: Use your API key to generate a JWT token.

Include in Requests: Add the token to the Authorization header as Bearer TOKEN.

Different authentication tokens are used for sandbox and production environments:

Sandbox: https://sandbox.surepass.app

Production: https://kyc-api.surepass.app

Request Parameters

Request Headers

Header	Required	Description
`Authorization`	Yes	Bearer token for authentication. Format: `Bearer <JWT_TOKEN>`
`Content-Type`	Yes	Must be set to `application/json`

Request Body

Parameter	Type	Required	Description
`registration_number`	String	Yes	The Udyam registration number of the entity (e.g., `UDYAM-RJ-30-0011111`)
`mobile_number`	String	Yes	The 10-digit mobile number registered with the Udyam entity
`webhook_url`	String	No	A valid HTTPS URL to receive asynchronous OTP delivery status callbacks
`otp_on_email`	Boolean	No	Set to `true` to send OTP to the registered email instead of mobile. Defaults to `false` (OTP sent to mobile)

Example Request

{
    "registration_number": "UDYAM-RJ-30-0011111",
    "mobile_number": "1234567890",
    "webhook_url": "https://webhook.com",
    "otp_on_email": true
}

Process Response

Response Parameters

Parameter	Type	Description
`data`	Object	Contains the result payload of the OTP dispatch request
`data.client_id`	String	A unique identifier for this OTP request, used for tracking status or submitting the OTP in subsequent API calls
`data.status`	String	The current status of the OTP request. Returns `pending` when the request has been accepted and is being processed asynchronously
`status_code`	Integer	HTTP status code of the response (e.g., `200` for success)
`success`	Boolean	Indicates whether the API call was successful (`true`) or not (`false`)
`message`	String	A human-readable message describing the result (e.g., `"Success"`)
`message_code`	String	A machine-readable code corresponding to the message (e.g., `"success"`)

Example Successful Response

{
    "data": {
        "client_id": "udyam_otp_async_bgKqddCbbfhmJGqouVIK",
        "status": "pending"
    },
    "status_code": 200,
    "success": true,
    "message": "Success",
    "message_code": "success"
}

Possible Error Responses

OTP Rate Limit

Unauthorized

Invalid Request

Internal Server Error

{
      "data": null,
      "status_code": 429,
      "success": false,
      "message": "OTP Rate Limit Exceeded. Please Try Again Later",
      "message_code": "udyam_otp_rate_limited"
}

Returned when the JWT Bearer token is missing, expired, or invalid. Ensure you are using the correct token for the target environment (sandbox or production).

Integration Best Practices

Security Recommendations

Never expose JWT tokens client-side: Always make API calls from your backend server to prevent token leakage.

Rotate tokens regularly: Periodically refresh your JWT tokens and revoke any that may have been compromised.

Use environment-specific tokens: Maintain separate JWT tokens for sandbox and production environments; never use production credentials in testing.

Validate webhook payloads: When using the webhook_url parameter, verify the authenticity of incoming webhook calls using signatures or secret tokens to prevent spoofing.

User Experience Guidelines

Communicate OTP channel clearly: Inform users whether the OTP was sent to their mobile or email (based on otp_on_email) so they know where to look.

Handle async delays gracefully: Since the OTP dispatch is asynchronous, show a loading or "OTP sent" state in your UI and avoid letting users retry too quickly. Implement a cooldown timer for resend actions.

Leverage webhooks over polling: Prefer using webhook_url for status updates to reduce unnecessary API calls and provide faster user feedback.

Provide clear error messaging: Map message_code values to user-friendly messages in your application to guide users effectively when errors occur.

Code Samples

cURL

Python

Node.js

Related APIs

Udyam OTP Async - Verify OTP: Submit the OTP received by the user along with the client_id returned by this API to complete the Udyam registration verification process.

Udyam OTP Async - Get Status: Poll the status of an OTP dispatch request using the client_id for scenarios where webhook delivery is not configured.

Udyam Registration Verification: Directly verify Udyam registration details without OTP for use cases where user-initiated consent is not required.

Compliance and Legal Considerations

Data Privacy: The mobile number and Udyam registration number are sensitive personal and business identifiers. Ensure they are transmitted securely over HTTPS and stored in compliance with applicable data protection regulations such as India's Digital Personal Data Protection Act (DPDPA).

Consent Requirements: Before triggering an OTP to a user's mobile or email, ensure you have obtained explicit consent from the individual or business entity in accordance with your legal obligations and platform terms.

MSME Act Compliance: Usage of this API to access Udyam registration data should be in accordance with the MSME Development Act and any guidelines issued by the Ministry of MSME, Government of India.

Rate Limiting: Repeated OTP requests for the same registration number in a short period may be subject to rate limiting. Implement appropriate controls in your application to prevent abuse and comply with Surepass's acceptable use policies.

Provide your bearer token in the

Authorization

header when making requests to protected resources.

Example:

Authorization: Bearer ********************

curl --location --request POST 'https://kyc-api.surepass.app/api/v1/udyam-otp/async/send-otp' \ --header 'Authorization: Bearer <token>' \ --header 'Content-Type: application/json' \ --data-raw '{ "registration_number": "UDYAM-RJ-30-0011111", "mobile_number": "1234567890", "webhook_url": "https://coral-nebula-46.webhook.cool", "otp_on_email": true }'

{ "data": { "client_id": "udyam_otp_async_bgKqddCbbfhmJGqouVIK", "status": "pending" }, "status_code": 200, "success": true, "message": "Success", "message_code": "success" }

Send OTP

Udyam OTP Async - Send OTP#

Description#

Use Cases#

Technical Implementation#

Request Headers#

Request Body#

Example Request#

Response Parameters#

Example Successful Response#

Possible Error Responses#

Integration Best Practices#

Code Samples#

Request

Responses