The default validity period for OTP (one-time code) sent via email in Ory is typically 15 minutes, but this duration is configurable. You can set the lifespan of the code in your Ory Identities configuration under the relevant flow (such as login, registration, recovery, or verification). For example, in the configuration, you can specify:

yaml selfservice:   methods:     code:       enabled: true       config:         lifespan: 15m # Defines how long the code is valid for. Default: 1h.

You can adjust the

lifespan

value to your preferred duration (e.g.,

15m

for 15 minutes). This setting applies to flows like account recovery, verification, and passwordless login, and can be managed via the Ory Console or CLI as described in the documentation [Account recovery and password reset](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#configuration) and [Address verification](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation). So, yes, the OTP validity period is configurable in Ory.

The OTP (one-time code) sent via email by Ory is a 6-digit code. The documentation states: > When using one-time codes to verify a user's address, Ory Identities sends an email with a 6-digit code to the user. They must enter the code in a dedicated UI text field to verify their address. [Choosing the right strategy](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#choosing-the-right-strategy) However, the knowledge sources do not mention any configuration option to change the length or character set of the OTP. It appears that the 6-digit format is fixed and not configurable according to the available documentation.