Even after OTP validation, don’t authenticate users directly based on a response. Instead, generate a secure JWT token that is used for further authentication. Even if an attacker modifies the API response, they cannot generate a valid JWT, preventing unauthorized access.