Frequently Asked Questions

Install OTP Guard from the Shopify App Store by clicking "Add app". Shopify will prompt you to approve the required permissions (read orders, cancel orders, contact customers). Once approved, OTP Guard is active immediately — no additional configuration required to start protecting orders.

Under 2 minutes. Install the app, approve permissions, and every new order is automatically protected. You can customise the verification timer and message templates at any time from the Settings page.

No. OTP Guard requires zero code changes to your store. There are no theme edits, no webhooks to configure manually, and no API keys to manage. Everything is handled automatically after installation.

Yes. OTP Guard works on every Shopify plan — Basic, Shopify, Advanced, and Plus. Verification happens after the order is placed (post-order flow) on all plans. There is no impact on checkout.

Within seconds of an order being created, OTP Guard automatically sends a 6-digit verification code to the phone number on the shipping address. The customer receives a link in the SMS. Clicking the link opens a verification page hosted under your store's domain where they enter the code.

On the default template it reads: "Your OTP for order #1234 from [Your Store Name] is 391827. Verify here: https://your-store.myshopify.com/apps/otp-verify?token=…. Valid for 15 minutes." Pro plan merchants can fully customise this message.

After the configured timer expires (default: 15 minutes), the order is automatically cancelled. The customer receives a cancellation SMS explaining why. The order is refunded to the original payment method, restocked, and tagged "otp-cancelled" in your Shopify admin. No manual action required.

The order is tagged "otp-verified" in your Shopify admin and a note is added to the order record. The customer receives a success confirmation SMS. The order then proceeds through your normal fulfilment workflow.

Yes. From the verification page, customers can request a new code up to 3 times. After 5 failed attempts, the verification token is locked and the order will be automatically cancelled at timer expiry.

If no phone number is present in the shipping address or customer profile, OTP Guard skips that order silently — no OTP is sent and the order proceeds normally. We log a note internally for your reference.

The Starter plan includes 50 OTPs per month, SMS delivery, a fixed 15-minute verification timer, and access to the merchant dashboard. It's completely free — no credit card required.

New orders will be processed without OTP verification until the next billing cycle resets your usage. Your existing settings are preserved and verification resumes automatically at the start of the next month. You'll see a warning banner on your dashboard before you hit the limit.

No. All paid plans are billed immediately when you upgrade. You can downgrade to the free Starter plan at any time.

Yes. You can change plans at any time from the Billing page in your dashboard. Upgrades take effect immediately. Downgrades take effect at the start of your next billing cycle. Shopify handles prorated billing automatically.

Usage resets on the 1st of each calendar month (UTC). For example, if you install on March 15, your first billing period runs from March 1 to March 31. Usage history is visible in your dashboard.

Yes. OTP Guard uses only Shopify's webhook system — it does not modify your theme files, inject JavaScript, or alter your storefront in any way. It's fully compatible with any Shopify theme including custom and headless storefronts.

No. Checkout is completely unaffected. OTP Guard triggers after the order is placed, so customers complete checkout at normal speed. Verification happens in a separate step via SMS.

Yes. We support international SMS delivery worldwide. Numbers must be in E.164 format (starting with a country code, e.g. +44 for UK). Shopify collects phone numbers in this format by default.

OTP Guard requires: read_orders (to receive webhook events), write_orders (to cancel unverified orders, add tags and notes), and read_customers (to access customer phone numbers). We request only the minimum permissions needed.

Yes. There's a global on/off toggle on the Settings page. When disabled, all new orders skip OTP verification and are processed normally. Previously pending verifications are unaffected.

We store the customer's phone number (from the order), a bcrypt hash of the OTP (never the raw code), the verification status and timestamps, and the Shopify Order ID. We do not store payment details, email addresses, or any other customer information.

Yes. We process GDPR data requests forwarded by Shopify. Customer data can be deleted on request. OTP records are automatically purged after 90 days. We never sell or share customer data with third parties. See our Privacy Policy for full details.

Yes. OTP codes are hashed using bcrypt before being stored in the database. The raw code is never persisted — even we cannot read it. Verification tokens are single-use UUIDs that expire automatically when the timer runs out.

When you uninstall OTP Guard, we receive an uninstall webhook from Shopify and delete your session data immediately. All remaining shop data (settings, OTP records, usage history) is deleted within 48 hours of uninstallation.