We use PasswordState with the Devolutions product Remote Desktop Manager and have spent about a year working with them on changes to incorporate the new OTP API call you integrated last year. They have pointed out a shortcoming between the two products that they are asking me to pass along.
Because the OTP is a time sensitive response, the time in which it can be used or injected into a session causes an issue for useability.
Could the API pass two details back:
1. The OTP result (As it is now)
2. The time remaining for valid use?
#2 s subjective on the return, milliseconds may be better since its far more accurate than second, a time code to expiration would work but any differential in the time on the system making the request could make this a problem.
I'm worried about backwards compatibility so we are not sure if it would be an entirely new endpoint, whatever you come up with will be helpful!