One-Time Password Field

The One-Time Password field allows you to set up one-time password verification via email in seconds. Here we’ll break down the field itself in detail, if you need steps on how to get started using the field, check out this documentation article first.

Field Settings Reference

The One-Time Password fields ships with most of the stock field settings for Gravity Forms fields like label, descriptions, etc., we’ll be mostly focusing just on our own custom field settings here.


Source Field

This is where you’ll select which email field on the form will be used to source the email address that the user’s one-time password will be sent to. This must be an actual email field (Advanced Fields > Email), if you’re using something simpler and more generic like a single line text field to collect email addresses on your form, that will not work with the field.


This setting controls how many digits the generated one-time passwords will be.

By default this is set to 6 characters, there is no specific limit set in the product as to the max amount of digits you can set here but we wouldn’t recommend setting it to be more than 12 from a user experience standpoint. Most one-time passwords you see in the wild are typically 6-12 characters, and something in that range is what your users will likely be expecting to be sent.


This setting controls how long the one-time password is valid for.

Your users will have however long you set here between one-time password generation and them verifying that one-time password in the field.

If the expiration is hit, the one-time password is no longer valid and the user will need to start the verification flow over via the field prior to fully submitting the form in a valid state.

When the expiration is hit, the user will get a validation error that the password is invalid, and to try again.

This setting defaults to 10 minutes, but can be set to any minute based value between 1 minute and 300 minutes.

Overall, it is recommended to split the difference between giving your users a decent amount of time to verify the password, especially since emails can take a little bit to reach an inbox, but not so long that the password could be potentially compromised/give a malicious actor time to compromise an email account and get access to the password.

Note: The one-time passwords are formed using the current security salts in your site’s wp-config.php, if those salts are changed between a one-time password being sent to a user and them verifying it, the password will no longer be valid. This is another reason not to set your expiration time to be too high, as many security plugins for WordPress will auto-rotate these security salts automatically, periodically.


This is not one of our own settings, but rather a default Gravity Forms field setting, however, we’re covering it here because it is a setting we’d highly recommend enabling on the One-Time Password field especially if you want each user to complete the one-time password verification.

Also important to note here, if the field is marked as not being a required field, the user can skip the one-time password verification and submit the form. However, if the user engages with the one-time password field, the field and one-time password verification will become a psuedo-required field from that point and a valid, unexpired, one-time password will be required to submit the form in a valid state.

Important General Settings Note: All of the above settings will be put into a disabled state and will appear greyed out once the form has started creating entries with the One-Time Password field added as we can’t allow these settings to be changed on the fly once that has happened.

If you need to adjust these field settings after your initial implementation of the field, you’ll need to replace the existing field with a new version where the settings can be edited (you will also need to update any usage of merge tags elsewhere in your form with the new field ID).

Merge Tag


The field merge tag for the One-Time Password field has three parameters and generally follows the normal formatting for field merge tags in Gravity Forms: {[descriptor]:[field_id]:[modifier]}


Optional. A user defined value for readability. By default when using the merge tags widget, this will be the field name.


Required. This is the field ID of the One-Time Password field you want to pull data from using the merge tag. As One-Time Password fields are multi-part fields with multiple hidden sub-inputs that store various data related to password verification, this can be either the base field ID or the base field ID plus the sub-input number, e.g. 6.1, 6.2, or 6.3.


Optional. A flag you can specify to modify the output of the specified merge tag. A list of possible modifiers can be found below.


Default usage

The default usage of the merge tag is in notifications bound to the “One-Time Password” notification event to output the password that your form submitters will need to enter back into the form to complete verification. This is used by specifying the normal version of the field merge tag with no other modifiers, e.g.

{One-Time Password:1}

If you’d like to output information tied to the field post submission in elements like confirmations and notifications, you have a few options there (note the additional sub inputs specified after the field ID):

Output the password that was verified:

{One-Time Password:1}

Output the time the password was generated:

{One-Time Password:1.2}

Output the time the password was verified:

{One-Time Password:1.3}



When used with one of the time based sub-inputs shown above, this modifier can be used to format the output of the merge tag from a UNIX timestamp to a more human readable format in your desired format.


If you want to output the verification time in a more human-readable format, you can do something like the following:

{One-Time Password (Verification Time):6.3:format:d/m/Y\ \a\t\ H:i:s}

The above will format the timestamp to display a full representation of the date along with the time.

The :format modifier can be used with any PHP date format character to get things formatted the way you want, you can find a chart of all of the PHP date format characters here.

Save and Continue

One-Time Password does work within Save and Continue, however, your users will have to re-verify via the One-Time Password field each time they resume the draft submission from the link generated via Save and Continue.