I have a mechanism to generate and verify otps in my mobile app backend and not sure what the best way to design the api structure is, should the otp generation, otp verification, and the actual action api (for example: process payment) each be standalone apis or is there a best practice approach? here's my thought process.
Option 1: All 3 actions are standalone apis:
Pros:
- Separation of concerns
Cons:
- More api calls
- If somebody somehow get's ahold of my backend apis, they could bypass the otp verification process all together and perform the action
Option 2: Generation a standalone api and otp gets passed in the headers of the action api where the otp verification will happen
Pros:
- Otp verification can't be bypassed
- Less api calls
Cons:
- one api is handling more than one responsibility
Which one is correct if any, is there a third option? what is the best way to use otp verification in apis?
