Industry & Compliance

UIDAI Aadhaar OTP Rules for Indian Apps

How UIDAI Aadhaar OTP works for Indian apps: KUA / Sub-AUA licensing, virtual ID flow, purpose limitation, allowed use-cases, and DPDP Act overlap.

6 May 20268 min read

StartMessaging Team

Engineering

Aadhaar OTP is the UIDAI-issued one-time password used for identity verification. It is structurally separate from your application OTP. This guide explains how it works and how to integrate it correctly.

Overview

  • Aadhaar OTP issued by UIDAI infrastructure.
  • Requires KUA or Sub-AUA license.
  • Used for KYC, eSign, e-NACH consent.
  • Distinct from your app’s SMS OTP layer.

KUA / Sub-AUA Licensing

  • KUA — KYC User Agency, direct UIDAI licensee.
  • Sub-AUA — operates under a parent AUA.
  • Most fintechs use a Sub-AUA arrangement via a regulated AUA.

Aadhaar OTP Flow

  1. User enters Aadhaar number or VID in your app.
  2. Backend calls UIDAI /otp/generate via your AUA gateway.
  3. UIDAI dispatches OTP to the registered mobile.
  4. User enters OTP; backend calls UIDAI /auth with OTP.
  5. UIDAI returns verified KYC data.

Virtual ID and Masking

UIDAI requires use of VID for most use-cases to avoid storing raw Aadhaar. Masked Aadhaar shows only last four digits for display.

Permitted Use Cases

  • KYC for regulated entities.
  • e-Sign of legal documents.
  • e-NACH consent.
  • Specific government-service flows.

DPDP Crossover

DPDP Act 2023 places additional purpose-limitation and retention obligations on Aadhaar data. See DPDP / OTP guide.

FAQ

For the application-side phone-OTP layer (separate from Aadhaar OTP), StartMessaging provides a clean, DLT-free integration that complements your KUA / Sub-AUA setup.

Related Articles

Industry & Compliance
OTP Data Privacy: DPDP Act Compliance

How India's Digital Personal Data Protection Act affects OTP and SMS implementations. Phone numbers as personal data, consent, retention, and compliance checklist.

StartMessaging Team·9 Feb 202610 min read
Industry & Compliance
DPDP Act and OTP Compliance in India

How the Digital Personal Data Protection Act 2023 affects OTP and SMS workflows: consent, purpose limitation, data minimisation, retention, and OTP-specific patterns.

StartMessaging Team·5 May 20269 min read
Use Cases
OTP for Fintech: 2FA, KYC, and Transactions

How Indian fintech apps use OTP for two-factor authentication, KYC verification, transaction authorization, and UPI linkage. RBI compliance and security best practices.

StartMessaging Team·29 Jan 202610 min read

Ready to Send OTPs?

Integrate StartMessaging in 5 minutes. No DLT registration required.

Get Started FreeRead API Docs