TBC App/Web - OTP Module

TBC App/Web - OTP Module

SKU: TBC-APP-OTP-MOD

Stop fake signups. Force every new member to verify their phone number via SMS before their account is created.

$50.00
Buy Now

Stop fake signups. Force every new member to verify their phone number with a Twilio SMS code before their account is created.

TBC OTP adds a Twilio-powered phone verification step to your Fluent Community registration flow. New users punch in their phone number, receive a one-time SMS code, and only after the code is confirmed does the WordPress account actually get created. Bots and disposable emails get filtered out at the door — and you get a real phone number on every account.

Works identically on the web (as a modal injected into Fluent Community’s native registration page) and inside the TBC Community App on iOS and Android (as a native pre-creation step in the onboarding flow). One purchase, both surfaces covered, same Twilio Verify service powering both.

What It Does

  • Phone OTP on registration — SMS code required before the WP user account is ever created (pre-creation, not post)
  • Twilio Verify integration — Uses Twilio’s managed Verify service, so you inherit rate limiting, fraud protection, country-level controls, and delivery analytics for free. No raw SMS messaging, no separate phone number to buy.
  • Voice call fallback (optional) — Toggle a “Try voice call” option for users who don’t receive SMS — Twilio dictates the code over the phone instead
  • Email 2FA (optional) — Alternate email-code flow for regions where SMS is unreliable
  • Duplicate phone restriction (optional) — Block the same phone number from being reused across multiple accounts
  • Blocked numbers list — Reject specific numbers (one per line, E.164 format) — useful for known abusers or VOIP ranges

Web Experience (Fluent Community Portal)

  • Drop-in OTP modal injected directly onto Fluent Community’s auth/registration page — no theme edits, no shortcodes, no separate page
  • Hooks FC’s own AJAX registration endpoint at priority 6, before FC processes the form, so the OTP gate runs before user creation
  • Resend code, voice fallback button, error states, and rate-limit messages all built in
  • FC native email-2FA suppression — automatically turned off when phone OTP is active. Phone already proves identity, no need to make the user verify twice.

Mobile App Experience

  • Native registration step inside the TBC Community App — full-screen, branded, not an in-app browser
  • Pre-creation phase — runs before the WP account is created so failed verification leaves no orphaned accounts
  • Shared verification pipeline — same Twilio Verify session keys flow between mobile and the WP backend
  • Capability advertised via tbc_ca_registration_config — the mobile app knows whether to render the OTP step on this site automatically
  • Voice fallback and resend wired up natively — no webview shims

Theming

  • Web modal inherits Fluent Community’s CSS variables — seamless visual match
  • Native step inherits the TBC Community App theme — same accent colors, typography, and dark mode as the rest of your app
  • Automatic light and dark mode on both web and mobile, following the user’s chosen theme

Admin & Configuration

  • Settings page nested under the TBC Community App WordPress menu
  • Twilio credentials — Account SID, Auth Token, and Verify Service SID fields with a direct link to the Twilio console
  • Master toggle for registration OTP, plus independent toggles for voice fallback, email 2FA, and duplicate-phone prevention
  • One-click phone field setup — automatically enables Fluent Community’s Custom Profile Fields, creates a Phone field, and wires it up to OTP. No manual field creation required.
  • Phone field picker — or select an existing FC custom field if you already have one
  • Blocked numbers textarea (E.164 format, one per line)
  • Direct link to Twilio Verify logs from the settings page for delivery troubleshooting
  • Data cleanup on uninstall option — fully removes Twilio credentials, settings, and in-flight session transients when disabled

How It Works Under the Hood

  • Hooks tbc_ca_pre_register to intercept registration in the mobile app, and wp_ajax_nopriv_fcom_user_registration (priority 6) to intercept it on the web — both before the WP user is created
  • Issues a Twilio Verify session, returns a session key + otp_required: true to the client
  • Client shows the OTP step (modal on web, native step on mobile), user enters code, code is verified against Twilio’s API
  • On success, the original registration payload is replayed and the WP account is created
  • On failure, no user is created — the registration form just shows the error
  • Phone numbers are stored in Fluent Community’s native custom profile fields, not a forked data store
  • Verification sessions live in WP transients with TTL — no database bloat, auto-cleared on plugin deactivation

Clean & Safe

  • Doesn’t modify Fluent Community’s core data — phone numbers save through FC’s native custom profile fields
  • Disabling the module skips the OTP step instantly with zero cleanup needed
  • Optional full uninstall cleanup — Twilio credentials, settings, and session transients all removed on deletion if enabled
  • Twilio credentials stored with autoload=no so they’re not loaded on every page request — only fetched during OTP flows

Requirements

  • WordPress 5.8+
  • PHP 7.4+
  • Fluent Community (free or Pro — Pro required only for the one-click phone field setup, since custom profile fields are a Pro feature)
  • TBC Community App core companion plugin (tbc-community-app)
  • Twilio account with a Verify service (free tier includes credits to start — pay per verification after that, pricing varies by destination country)
  • Optional: TBC Community App (iOS/Android) for the native mobile step — the web modal works on its own

Installation & Updates

Two parts, both zero-code:

  1. WordPress plugin — Upload tbc-otp.zip via Plugins → Add New → Upload. Activate. Configure under TBC Community App → OTP. Paste your Twilio Account SID, Auth Token, and Verify Service SID, then run the one-click phone field setup.
  2. Mobile module — Open the TBC Community App setup dashboard (npm run dashboard), go to the Updates tab, click Import Module, and upload the module .zip. The dashboard auto-registers and enables it. Rebuild or push an OTA update to your users.

Automatic update checks. The dashboard checks for new versions of every installed module and shows an “Update available: vX.Y.Z” banner with the changelog. One click installs the update.

License

License

One-time purchase. You own it forever — no subscriptions, no renewals. Includes all future updates and support for as long as the plugin is maintained.

One license per site. Your license key activates on a single WordPress install. Need to move it? Deactivate from the License tab on your current site, then activate on the new one — no support ticket required.

Server-outage protection. If twobirdscode.com is ever unreachable, the plugin keeps running for 14 days from its last successful license check, so an outage on our end never disrupts your live site.