OneCode Login

OneCode Login provides a modern, passwordless authentication experience for your WordPress site. Instead of traditional passwords, users receive a secure 6-digit verification code via email.

Key Features

• Passwordless Authentication – Users log in with just their email address
• 6-Digit Verification Codes – Secure, time-limited codes sent via email
• Rate Limiting – Built-in protection against brute force attacks
• Request ID Binding – Each code is bound to a specific login session for enhanced security
• Neutral Feedback – Prevents user enumeration attacks by not revealing if an email exists
• Customizable – Configure expiry times, cooldowns, and email templates
• Accessible – Full keyboard navigation and screen reader support
• Gutenberg Block – Easy to add login forms to any page
• Shortcode Support – Use [onecode_login] anywhere
• wp-login.php Integration – Optionally replace the default WordPress login
• Developer API – Other plugins can use OneCode Login as an email one-time-code (OTP) service to verify a visitor’s email — see the Developer information section

Security Features

• Cryptographically secure code generation
• Codes and magic-link tokens are stored HMAC-hashed, never in plain text
• Configurable code expiry (default: 10 minutes)
• Resend cooldown to prevent spam
• IP-based and email-based rate limiting
• Automatic lockout after failed attempts
• Codes are single-use and invalidated after successful login

Use Cases

• Membership sites where password fatigue is an issue
• Customer portals requiring simple authentication
• Internal tools where security without complexity is needed
• Any site wanting to improve user experience

Developer information

Other plugins on the same site can use OneCode Login as a generic email one-time-code (OTP) service — for example to verify a guest’s email before letting them act. OneCode emails the code and verifies it; your plugin keeps full control of its own login/session (OneCode only asserts that the code is valid for the email — it never logs anyone in). It works for any email address; the address does not need a WordPress account.

All entry points are plain functions (and matching filters), so you do not need a hard dependency on any class. The API is gated by the Settings → Advanced → Enable developer API toggle.

Detect support (side-effect free — never call the request hook just to probe):

1. Start authentication — email a code and receive a handle:

   $handle = onecode_login_request_otp( $email, array( ‘consumer’ => ‘my_plugin’ ) ); // $handle = array( ‘request_id’, ‘auth_secret’, ‘expires_in’ (seconds), ‘expires_at’ (UTC), ‘sent’ ) // On failure: a WP_Error (codes: disabled, invalid_request, rate_limited, cooldown).

Keep request_id and auth_secret server-side (e.g. in a transient tied to the visitor). The auth_secret is NEVER shown to the customer — it is what stops an outsider who only knows the email from completing verification by guessing codes.

1. Complete authentication — the customer gives your plugin the code from the email:

   $result = onecode_login_verify_otp( array( ‘email’ => $email, ‘request_id’ => $handle[‘request_id’], ‘code’ => $code_from_customer, ‘auth_secret’ => $handle[‘auth_secret’], ‘consumer’ => ‘my_plugin’, ) ); // Success: array( ‘valid’ => true, ‘email’ => … ). Failure: WP_Error.

On failure show a generic message to the user (the API intentionally returns a single verify_failed code so it can’t be used as an oracle).

Filters are also available for loose coupling: onecode_login_request_otp ($pre, $email, $args) and onecode_login_verify_otp ($pre, $args).

Discovery and capabilities:

• onecode_login_supports( $feature ) — returns true for 'otp', ‘identity_assertion’ and 'any_email'.
• onecode_login_api() — returns the OneCode_Login_API service instance.
• OneCode_Login_API::VERSION — the API contract version (independent of the plugin version), so you can feature-gate against the API surface.
• do_action( 'onecode_login_api_init', $api ) — fires once the API is ready; bind to it if you want to wire up as soon as OneCode Login loads.

Reference: $args['consumer'] (a short [a-z0-9_-] label identifying your integration) is required on both calls — it isolates your codes and rate limits from the built-in login and from other consumers. Both request and verify are rate-limited by OneCode, returning rate_limited / cooldown WP_Errors you can surface to the user.