Pinpoint: OTP operations (#1520)

Author: viren-nadkarni

content/en/user-guide/aws/pinpoint/index.md

@@ -93,3 +93,84 @@ The following output would be retrieved:
     }
 }
 ```
+
+### OTP verification
+
+The operations [`SentOTPMessage`](https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-otp.html#SendOTPMessage) and [`VerifyOTPMessage`](https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-verify-otp.html#VerifyOTPMessage) are used for one-time password (OTP) verification.
+
+On production AWS, `SendOTPMessage` sends an SMS text message with the OTP code.
+The OTP can then be verified against the reference ID using `VerifyOTPMessage`
+
+LocalStack however can not send real SMS text messages.
+Instead it provides alternative ways to retrieve the actual OTP code as illustrated below.
+
+Begin by making a OTP request:
+
+{{< command >}}
+$ awslocal pinpoint send-otp-message \
+  --application-id fff5a801e01643c18a13a763e22a8fbf \
+  --send-otp-message-request-parameters '{
+      "BrandName": "LocalStack Community",
+      "Channel": "SMS",
+      "DestinationIdentity": "+1224364860",
+      "ReferenceId": "liftoffcampaign",
+      "OriginationIdentity": "+1123581321",
+      "CodeLength": 6,
+      "AllowedAttempts": 3,
+      "ValidityPeriod": 2
+    }'
+<disable-copy>
+{
+    "MessageResponse": {
+        "ApplicationId": "fff5a801e01643c18a13a763e22a8fbf"
+    }
+}
+</disable-copy>
+{{< /command >}}
+
+You can use the debug endpoint `/_aws/pinpoint/<application_id>/<reference_id>` to retrieve the OTP message details:
+
+{{< command >}}
+$ curl http://localhost:4566/_aws/pinpoint/fff5a801e01643c18a13a763e22a8fbf/liftoffcampaign | jq .
+{
+  "AllowedAttempts": 3,
+  "BrandName": "LocalStack Community",
+  "CodeLength": 6,
+  "DestinationIdentity": "+1224364860",
+  "OriginationIdentity": "+1123581321",
+  "ReferenceId": "liftoffcampaign",
+  "ValidityPeriod": 2,
+  "Attempts": 0,
+  "ApplicationId": "fff5a801e01643c18a13a763e22a8fbf",
+  "CreatedTimestamp": "2024-10-17T05:38:24.070Z",
+  "Code": "655745"
+}
+{{< /command >}}
+
+The OTP code is also printed in an `INFO` level message in the LocalStack log output:
+
+```text
+2024-10-17T11:08:24.044 INFO : OTP for application ID fff5a801e01643c18a13a763e22a8fbf reference ID liftoffcampaign: 655745
+```
+
+Finally, the OTP code can be verified using:
+
+{{< command >}}
+$ awslocal pinpoint verify-otp-message \
+  --application-id fff5a801e01643c18a13a763e22a8fbf \
+  --verify-otp-message-request-parameters '{
+      "ReferenceId": "liftoffcampaign",
+      "DestinationIdentity": "+1224364860",
+      "Otp": "655745"
+  }'
+<disable-copy>
+{
+    "VerificationResponse": {
+        "Valid": true
+    }
+}
+</disable-copy>
+{{< /command >}}
+
+When validating OTP codes, LocalStack checks for the number of allowed attempts and the validity period.
+Unlike AWS, there is no lower limit for validity period.