You can reduce the SMS OTP validity by lowering the code lifespan in your identity configuration. Set the selfservice.methods.code.config.lifespan value (e.g., 5m) and update your project config. Example (identity-config.yaml):

yaml selfservice:   methods:     code:       enabled: true       config:         lifespan: 5m

This lifespan controls how long one-time codes (including SMS) are valid before expiring. Apply the change via Ory Console or CLI as shown in the verification/recovery flow docs (both reference the same code method lifespan setting) ([Address verification](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#configuration), [Account recovery](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#configuration)).

It indicates you’ve hit a rate/attempt limit for requesting or submitting one-time codes. Ory enforces endpoint-based rate limits to protect against abuse like brute-force or credential stuffing; when you exceed these limits, further code requests are temporarily blocked and you see this message (Understand Ory Network rate limiting → Endpoint based rate limits). For Ory Network, there are also plan-based project rate limits that can contribute to this behavior (Project rate limits in workspaces). If you repeatedly submit wrong codes within a flow, the flow can also fail once the maximum code submissions limit is reached; this limit is configurable (Code submissions limit). - Endpoint-based protection and temporary blocking (Endpoint based rate limits). - Workspace/plan project limits may apply (Rate limit tables by subscription plan). - Per-flow wrong-code submission cap is configurable via max_submissions (Code submissions limit). If you need higher thresholds or exceptions, Growth/Enterprise plans can whitelist internal IPs via support (Endpoint based rate limits). (References: [Endpoint based rate limits](https://www.ory.sh/docs/guides/rate-limits#endpoint-based-rate-limits), [Project rate limits in workspaces](https://www.ory.sh/docs/guides/rate-limits#rate-limit-tables-by-subscription-plan), [Code submissions limit](https://www.ory.sh/docs/identities/sign-in/code-submission-limit))

In self-hosted Kratos, that message means you’ve triggered local protections around code requests/submissions rather than Ory Network’s platform limits. - Code submission attempts: If too many wrong codes are submitted in a flow, Kratos fails the flow. You can lower/raise this cap with selfservice.methods.code.max_submissions (default 5). Hitting this limit will surface errors like “submitted too often” until a new flow is started or the limit window resets (Code submissions limit). ([Code submissions limit](https://www.ory.sh/docs/identities/sign-in/code-submission-limit)) - Endpoint/bot protections: Unlike Ory Network, self-hosted Kratos does not include managed endpoint-based rate limiting or bot management. You must implement rate limiting and WAF/bot defenses (e.g., at your reverse proxy, CDN, or firewall). Ory recommends using a WAF for throttling/lockouts and similar controls when self-hosting (Threat models and security profiles). ([Threat models and security profiles](https://www.ory.sh/docs/kratos/concepts/security)) - Mail/SMS sending cadence: If you’re re-requesting codes frequently, ensure your courier runs reliably and consider your retry policy. The courier’s message_retries controls delivery retries (email/SMS) but is not a user-facing rate limit. Still, repeated requests can look like “too often” from a UX perspective if users spam the button while a previous code is still valid. ([Mail courier in self-hosted Kratos](https://www.ory.sh/docs/kratos/self-hosted/mail-courier-selfhosted)) What you can change self-hosted: - Adjust the max wrong-code submissions:

yaml   selfservice:     methods:       code:         max_submissions: 3

Apply via your Kratos config reload/redeploy ([Code submissions limit](https://www.ory.sh/docs/identities/sign-in/code-submission-limit)). What you need to add externally: - Implement rate limiting/throttling and optional account lockouts at your edge/WAF or proxy if you need “too many requests” controls for requesting codes (Threat models and security profiles). ([Threat models and security profiles](https://www.ory.sh/docs/kratos/concepts/security))