Pricing
Simple pricing. No surprises.
Start free. Pay when you outgrow it. Cancel any time. Annual plans get 10% off.
| Feature | Free | Pro | Team | Enterprise |
|---|---|---|---|---|
| Inboxes | 5 | 50 | Unlimited | Unlimited |
| Messages / month | 1,000 | 50,000 | 500,000 | Custom |
| Retention | 24h | 30 days | 90 days | Custom |
| Concurrent waiters | 2 | 25 | 100 | Custom |
| Webhooks | — | ✓ | ✓ + scoped keys | ✓ + SSO/SCIM |
| API rate limit | 60 req/min | 600 req/min | 6,000 req/min | Custom |
| Support | Community | Email (24h) | Email (4h) + Slack | Slack + dedicated |
| SLA | — | — | 99.9% | 99.95% |
| SOC 2 / DPA | — | DPA | DPA | SOC 2 + DPA |
Frequently asked questions
Do I need a credit card to start?
No. The Free tier is forever-free and requires no card. You sign up at app.catchotp.com with an email address, get an API key in under a minute, and you can start creating inboxes immediately. Free includes 5 inboxes, 1,000 messages a month, 24-hour retention, and 2 concurrent waiters — enough for most CI pipelines and personal projects. You can upgrade to Pro any time from the customer portal once you outgrow the limits.
Can I switch plans?
Yes. You can upgrade, downgrade, or cancel at any time directly from the Stripe customer portal — no support ticket required. Billing is pro-rated to the day: if you upgrade mid-cycle, you only pay the difference for the remaining days; if you downgrade, the unused credit is applied to your next invoice. Annual plans (10% off) can also be switched, with the residual prorated as a credit.
What happens at the end of the retention window?
Message bodies are auto-deleted from our database and S3 once the per-plan retention window expires (24 hours on Free, 30 days on Pro, 90 days on Team). The audit log retains metadata only — sender, timestamp, message ID, parsed OTP — for 365 days for compliance and abuse-investigation purposes. Deletion is enforced by an EventBridge-scheduled Lambda that cannot be bypassed; we cannot recover bodies after the window even if you ask.
How fast does an OTP arrive?
p95 end-to-end latency (sender → API client) is under 1 second. Most messages resolve under 500ms. The pipeline is SES inbound → SNS → Lambda parser → DynamoDB → long-poll waiter, with no polling at any layer — every hop is event-driven. We monitor this continuously with CloudWatch synthetics and publish the rolling p50/p95/p99 on /status. If you see degraded numbers, check the status page first.
Do you support custom domains?
Custom domains are on the roadmap for the Team tier. Today, all addresses live at *@inbox.catchotp.com — a real domain with proper MX records, DKIM signing, and an abuse-handling story. Bring-your-own-domain will land alongside DKIM key publishing tooling and per-domain DMARC policy support. Enterprise customers can request a private subdomain (e.g. inbox.yourco.com) on a case-by-case basis today.
Is there an SDK for Go / Ruby / Java / .NET?
Node and Python ship today as @catchotp/sdk and the catchotp PyPI package. Go is in beta with the same surface (catchotp/go-sdk). Ruby, Java, and .NET are by request — file an issue or email us and we will prioritize based on demand. The REST API is documented at /docs/api and is straightforward to wrap; teams have shipped Rust and Elixir clients in an afternoon using the OpenAPI spec.
Can I cancel anytime?
Yes. Monthly plans cancel at the end of the current period with no penalty — you keep access until the renewal date and are not charged again. Annual plans (which carry a 10% discount) can be cancelled at any time, but the prepaid year is non-refundable; you keep access through the end of the term. There is no annual lock-in unless you choose the annual rate.
What about GDPR / EU data?
All data is encrypted at rest with AWS KMS (customer-managed keys on Team and Enterprise) and in transit with TLS 1.3 only. A standard DPA is available on request from legal@catchotp.com — most reviews land in under 48 hours. The current production region is AWS us-east-1; an EU region (eu-west-1) is on the roadmap for Q3, after which Team and Enterprise customers can choose their data residency. We are not currently SOC 2 certified — that work starts after the EU region ships.
Still on the fence?
Spin up a free account. You can integrate it into a test in five minutes.