One-time passwords (OTPs) are a cornerstone of modern authentication — but testing them shouldn’t require managing real inboxes or exposing production users to test traffic. Mailinator provides a fast, disposable email infrastructure that makes OTP testing easy, repeatable, and safe.
This guide walks you through everything you need to get started — including how to set up a private testing domain so your test emails stay out of the public inbox.
Step 1: Sign Up for a Mailinator Account
⚠️ Before you start testing, we strongly recommend signing up for an account to get access to a private testing domain. Using the public @mailinator.com inbox is fine for a quick sanity check, but any email sent there is visible to anyone on the internet. A private domain keeps your test data secure.
Mailinator offers two free options to get you started:
💡 For most QA workflows, the free Verified Pro account is all you need. Upgrade to Business if you need Mailinator’s REST API for automated test pipelines.
Once you’ve signed up:
- Log in to your Mailinator dashboard
- Navigate to Settings > Domains
- Create a private domain (e.g., tests.yourcompany.com) and point your DNS records as instructed
- Your test emails will now go to yourname@tests.yourcompany.com — private and only accessible to your team
Step 2: Choose a Test Email Address
With your private domain set up, pick an inbox name for your test. A good convention is to tie it to the test case:
- testuser_signup_001@tests.yourcompany.com
- qa_otp_login@tests.yourcompany.com
- automation_tc042@tests.yourcompany.com
💡 No need to create the inbox in advance — it’s created automatically the moment an email is delivered to it.
Step 3: Trigger an OTP from Your Application
- Open your application or staging environment
- Enter your Mailinator address in the email or sign-in field
- Initiate the action that sends the OTP — for example, clicking Sign In, Send Code, or Verify Email
- Your app will send the OTP email to the Mailinator inbox
Step 4: Check the Mailinator Inbox
There are two ways to check your inbox, depending on your plan:
Option A — Mailinator Web UI (All Plans)
- Go to mailinator.com and log in
- Navigate to your private domain’s inbox
- Search for or click on your test inbox name
- The OTP email should appear within a few seconds of being sent
Option B — Mailinator REST API (Business Plan)
For automated test pipelines, use the Mailinator API to poll for and retrieve emails programmatically:
// Fetch messages from an inbox GET https://mailinator.com/api/v2/domains/tests.yourcompany.com/inboxes/testuser_signup_001 ?token=YOUR_API_TOKEN // Fetch a specific message body GET https://mailinator.com/api/v2/domains/tests.yourcompany.com/inboxes/testuser_signup_001/messages/{message_id} ?token=YOUR_API_TOKEN
Parse the response and extract the OTP using a regular expression — for example, /\b\d{6}\b/ for 6-digit codes.
Step 5: Open the OTP Email
- Click the OTP email in the inbox list
- Locate the OTP code in the email body — it’s typically a 4–8 digit number, often displayed prominently
- Note the OTP expiry time from the email or your app’s documentation (usually 5–10 minutes)
Step 6: Enter the OTP in Your Application
- Switch back to your app or test environment
- Enter the OTP code in the verification field
- Submit before the expiry window closes
- Confirm the app accepts the code and advances to the next step
Step 7: Verify the Flow and Log Your Result
- Confirm the expected outcome — user logged in, email verified, account created, etc.
- Log the test result as Pass or Fail in your test case management tool
- If the test failed, check the email delivery timestamp, the OTP value used, and any relevant app logs
Testing Tips & Edge Cases
Once the happy path is working, extend your test coverage with these scenarios:
| Testing Tip | Details |
| Use unique inbox names per test run | Prevents OTPs from different tests mixing together (e.g., testuser_tc001@yourdomain.com) |
| Use the Mailinator API for automation | Paid plans support API polling to fetch OTP codes programmatically — ideal for CI/CD pipelines |
| Test delayed delivery | Verify what happens when an OTP email arrives late and the expiry window has passed |
| Test OTP expiry | Wait past the expiry window and confirm the app correctly rejects the expired code |
| Test single-use enforcement | Submit the same OTP twice to verify it cannot be reused |
| Test invalid OTPs | Enter a wrong code and confirm the app shows the correct error message |
Ready to Get Started?
Sign up for a free Verified Pro account or start a free Business plan trial to get access to private domains and everything you need for reliable, repeatable OTP testing.
With Mailinator in your testing toolkit, you can validate your entire OTP flow — delivery, expiry, single-use enforcement, and error handling — without touching production infrastructure or real user inboxes.