Kite app code: what it is and how it works as a login factor

The Kite app code is a six-digit time-based one-time password (TOTP) generated inside Zerodha’s Kite mobile app that you type into Kite web as the second factor of a two-factor login. After you enter your user ID and password on Kite web, the app shows a code that is valid for 30 seconds; entering it completes the login. Zerodha documents this as the default second factor for clients who have the Kite mobile app and have not switched to an external authenticator.

The app code exists because regulation requires two factors for online trading logins, and because the broker decided a cryptographic code generated on your own phone is a better second factor than an SMS one-time password. This article explains what the code is, the exact mechanism it runs on, where to find it during a login, how it differs from the SMS OTP and from an external authenticator’s TOTP, and the common reasons it stops appearing. For the side-by-side comparison of all three second-factor methods, see Kite app code vs TOTP vs SMS OTP .

Conflict-of-interest disclosure. This guide is published by the WebNotes Editorial Team for informational purposes and is written independently. WebNotes operates a Zerodha account-opening referral programme, disclosed on the pages that carry the referral link; this guide does not carry it and earns no referral commission from the procedure described here.

What the app code is

The app code is a TOTP. A TOTP is a short numeric code derived from two inputs: a secret key shared once between the server and your device, and the current time rounded to a fixed window. The algorithm, defined in RFC 6238, feeds the secret and a 30-second time counter through a keyed hash and truncates the result to a six-digit number. Both ends compute the same number independently, so the server can check your code without any message travelling over a network at the moment of login. The code rolls over every 30 seconds because the time counter advances; that is why a Kite app code you read off the screen stops working a few seconds after you read it.

Zerodha’s support documentation states the rule plainly: the app code “is a Time-based One-Time Password (TOTP) generated on the Kite app” and is “valid for 30 seconds, after which a new code is generated” (Zerodha support, as of June 2026). The secret that seeds the calculation is provisioned when you install and log in to the Kite app, so the app already holds everything it needs to produce valid codes offline.

When you log in to Kite web, your user ID and password are the first factor. The app code on your phone is the second factor. Zerodha points out a third layer that most clients carry without thinking about it: the Kite mobile app sits behind a mandatory device lock, usually a biometric or PIN, so reading the app code in practice requires unlocking the phone first. The broker describes the combination of password, app code, and that device lock as functioning like a third factor.

Where to find the app code

The app code appears on the Kite mobile app at the moment Kite web asks for it. The sequence is fixed.

1. On Kite web, enter your 12-character user ID and password and submit.
2. Kite web then shows a field asking for the app code.
3. Open the Kite mobile app on the phone where your account is logged in. The current app code is displayed on the app screen.
4. Type that six-digit code into Kite web before the 30-second window closes, and you are in.

If you are logging in on the Kite mobile app itself for the first time on a new device, the flow differs: that first mobile login uses your user ID and password plus an SMS OTP, after which the app provisions the TOTP secret and can generate app codes from then on. So the SMS OTP still has one narrow job in the lifecycle, the first-time setup of the app on a device, even though it is not the day-to-day second factor.

Why a daily login, and why the app code over SMS

Zerodha clients log in every day because the broker forcibly logs every user out at the end of the trading day. That practice is required of brokers and is the reason the second factor matters so much: you face it once each day, often in the minutes around the 9:15 a.m. market open, when a square-off or a fresh position cannot wait on a slow login.

That timing is exactly where SMS fails. Zerodha’s own support note says that when millions of users log in within a short window, “sending tens of thousands of time-sensitive login OTP SMSes per second may result in non-delivery or delayed delivery, preventing a user from logging in and squaring off positions on time” (Zerodha support, as of June 2026). An SMS OTP depends on a telecom gateway you do not control; a delayed message at 9:14 a.m. is a real trading risk, not a theoretical one. The app code carries no such dependency because the phone computes it locally. Zerodha also notes the security gap: SMS is a non-encrypted protocol whose contents can be intercepted with nearby hardware, and the SIM that receives it can be hijacked through SIM-swap and phishing social engineering. The app code removes the network from the path and removes the SIM as an attack surface.

App code, external TOTP, and SMS OTP at a glance

Kite supports three second-factor mechanisms. The table sets out what each one is and when it applies. All three reduce to “something you have” beyond your password, but they differ in where the code comes from and what can break it.

The practical takeaway: if you do nothing, the app code is your second factor and you read it off the Kite app each day. If you set up an external authenticator, Kite stops asking for the in-app app code and asks for the authenticator’s code instead, which lets you log in to Kite web without opening the Kite app at all. The deeper comparison, including the regulatory backing and a recommendation, is in Kite app code vs TOTP vs SMS OTP .

Regulatory basis for two-factor login

The reason any second factor exists is a SEBI mandate. SEBI’s circular SEBI/HO/MIRSD/DOP/CIR/P/2018/147, dated 3 December 2018, required two-factor authentication for login to online trading accounts, with the second factor being either a one-time password or a biometric. After extensions, the requirement came into force on 30 September 2022, which is why every broker that offers web and mobile trading now asks for a second factor at login. The app code, external TOTP, and SMS OTP are simply the three forms Zerodha offers to satisfy that one rule. The broader cyber-security obligations on the broker, beyond login, sit under the SEBI cyber-security framework discussed separately.

When the app code does not appear

A few specific conditions stop the app code from showing, and each has a direct fix.

The app is not installed or you are not logged in on it. The app code is generated by the Kite mobile app; with no app holding the TOTP secret, there is no code. Install Kite, log in once (the SMS OTP first-login flow runs here), and the app can generate codes after that.

The phone clock is wrong. A TOTP is tied to the current time. If your phone clock has drifted, the code your app computes will not match what the server expects, and the login fails even though a code is shown. Set the phone to fetch time automatically from the network so the clock stays aligned.

You switched to external TOTP. If you have enabled an external authenticator, Kite deliberately stops prompting for the in-app app code and asks for your authenticator’s code instead. That is expected behaviour, not a fault. Open your authenticator app for the code.

You lost the device entirely. If you no longer have the phone, you cannot read the app code, and you reset the second factor through Zerodha’s recovery flow. See how to reset 2FA on Zerodha for that path.

How the app code fits the wider account-security picture

The app code is one control among several. It protects the login, but it does not protect against a malicious authorisation you grant yourself, a phishing site that captures both your password and a live app code, or a Kite Connect third-party app you have authorised and forgotten. Treat the app code as the lock on the front door: necessary, and stronger than SMS, but not the whole of account security. The companion best-practices guide, how to secure your trading account , covers device hygiene, phishing and vishing defence, the DDPI versus POA exposure, and monitoring your account through Zerodha Console .

See also

• Zerodha
• Kite by Zerodha
• Kite web
• Kite mobile app
• Kite app code vs TOTP vs SMS OTP
• How to secure your trading account
• Zerodha cyber-security
• How to reset 2FA on Zerodha
• How to recover your Kite password
• How to recover your Kite user ID
• Zerodha 12-character user ID format
• Why the welcome email has no password
• Zerodha Console
• Kite Connect API
• Kite Connect OAuth login flow
• How to use Kite Connect TOTP automation
• Is Zerodha safe
• Zerodha hack and security incidents
• Why Kite shows the risk disclosure at every login
• Risk disclosure document
• Zerodha investor charter
• POA to DDPI transition
• SEBI
• National Stock Exchange
• Bombay Stock Exchange
• Trading account
• Demat account
• Zerodha customer care number

External references

• Zerodha support: What is an App Code and why is it displayed on Kite app?
• Zerodha support: How are Kite app code and external TOTP better than SMS OTP?
• Zerodha support: How do I set up Time-based OTP (TOTP) to log in to Kite?
• Z-Connect by Zerodha: Two factor authentication (2FA)
• SEBI: Circulars

References

1. Zerodha support, “What is an App Code and why is it displayed on Kite app?” (as of 20 June 2026).
2. Zerodha support, “How are Kite app code and external TOTP better than SMS OTP?” (as of 20 June 2026).
3. SEBI circular SEBI/HO/MIRSD/DOP/CIR/P/2018/147, dated 3 December 2018, on two-factor authentication for login to online trading accounts (in force from 30 September 2022 after extensions).
4. RFC 6238, “TOTP: Time-Based One-Time Password Algorithm” (Internet Engineering Task Force, May 2011).