I have implemented OTP generation in Xano (6 digit number) based on email address and user having an existing account, which sends OTP via email.
I have a general musing about verifying the OTP when redirecting user upon success to an OTP verification page. Is it considered "acceptable" to redirect with the email as a query param to use in the verification POST along with OTP sent via email (given the page is HTTPS) or should I also create some kind of token hash as a query param instead of the email to verify the record along with OTP sent via email?
If I decided to just do the verification on the same page, I could forego the query param as email is already saved as a variable when making the initial call for the token but I'm redirecting to a verification page for the OTP.