Load Testing OTP Endpoints with k6 / Locust

Load-testing the OTP path matters for sale-day events, IPL ticketing apps, and fintech bursts. The trick is to drive realistic load without paying for real SMS.

Why Load Test OTP

• Sale-day spikes can be 50× normal.
• Validate per-phone rate limit.
• Validate fail-over behaviour.
• Confirm DB indexes hold.

Use Sandbox Mode

Provider sandbox modes accept arbitrary requests and return success without SMS dispatch. See your provider’s sandbox docs.

k6 Script

// k6.js
import http from 'k6/http';
import { check } from 'k6';
export const options = { vus: 200, duration: '5m' };
const phones = open('./phones.csv').split('\n');

export default function () {
  const phone = phones[Math.floor(Math.random() * phones.length)];
  const r = http.post('https://stg.your-app.com/auth/send-otp',
    JSON.stringify({ phoneNumber: phone }),
    { headers: { 'Content-Type': 'application/json' }});
  check(r, { 'status 200': (r) => r.status === 200 });
}

Locust Script

# locust.py
from locust import HttpUser, task, between
class OtpUser(HttpUser):
    wait_time = between(1, 3)
    @task
    def send_otp(self):
        self.client.post("/auth/send-otp", json={"phoneNumber": "+919876543210"})

Metrics That Matter

• P95 send latency under load.
• Error rate at peak.
• Per-phone rate-limit hit rate.
• Database CPU and connection pool saturation.

FAQ

For test patterns more broadly see our staging guide.