Guide

Extract OTP Codes from Email — Skip the Inbox

Stop switching to your inbox every time a 2FA code arrives. nylas otp get scans recent emails for verification codes and copies the result to your clipboard in under a second. Works across all major email providers — no browser required.

Written by Nick Barraclough Product Manager

Reviewed by Qasim Muhammad

Updated May 10, 2026

Verified — CLI 3.1.1 · Gmail, Outlook, Yahoo, iCloud, IMAP · last tested April 11, 2026

Why are OTP codes hard to extract from email?

OTP codes are hard to extract from email because every verification interrupts your workflow with 30–60 seconds of context switching — opening your inbox, scanning for the message, locating the 6-digit code inside a styled template, typing it into the login prompt, and switching back to your original task.

For developers running integration tests or end-to-end flows, the problem is worse. Extracting codes programmatically means writing custom email polling logic for each provider — Gmail API, Microsoft Graph, IMAP idle — before the actual test can even begin. According to the FIDO Alliance Online Authentication Barometer, users frequently abandon signups when verification is slow, and brittle OTP extraction code is one of the top causes of flaky E2E test suites.

The Nylas CLI eliminates both problems with a single command: nylas otp get scans recent messages across Gmail, Outlook, Yahoo, iCloud, and any IMAP server, extracts the code, and copies it to your clipboard in under 1 second.

1. Install

Installing the Nylas CLI takes a single Homebrew command and finishes in under 30 seconds on most machines. The CLI binary is around 25 MB and supports macOS, Linux, and Windows. Homebrew is the fastest path for macOS and Linux users.

brew install nylas/nylas-cli/nylas

Shell-script, PowerShell, and Go install paths are available in the getting started guide. After installing, confirm the CLI is available by checking its version:

nylas --version

2. Authenticate

Authentication connects the Nylas CLI to your email account so it can scan messages for OTP codes. The CLI supports 6 provider types — Gmail, Outlook, Exchange (EWS), Yahoo Mail, iCloud Mail, and generic IMAP — all through a single authentication step. No per-provider configuration is needed.

Generate an API key from the Nylas Dashboard, then pass it to the CLI. Credentials are stored locally in ~/.config/nylas/ and never sent to third parties.

nylas auth config --api-key YOUR_API_KEY

3. Get the latest OTP code

The nylas otp get command scans recent emails, extracts the most recent verification code, and copies it to your clipboard — typically completing in under 1 second. Most email-based OTP codes are 6 digits and expire within 5–10 minutes, as defined by RFC 6238 (TOTP).

Running the command with no arguments fetches the latest code from your default account. The CLI searches the most recent messages for common OTP patterns (numeric codes embedded in verification-style emails) and returns the match.

nylas otp get

✓ OTP found

  Code:    847291
  From:    noreply@github.com
  Subject: Your GitHub verification code
  Copied to clipboard

For scripting and CI/CD pipelines — where clipboard side effects are unwanted — the --raw flag outputs only the bare code. This makes it easy to capture the value in a shell variable.

nylas otp get --raw

To keep the code visible in your terminal output without copying it to the clipboard, use the --no-copy flag. This is useful when you want to read the code on screen and type it manually.

nylas otp get --no-copy

4. Watch for incoming OTP codes

The nylas otp watch command polls your inbox continuously and prints each new OTP code as it arrives. This is useful when you trigger an action that sends a verification email and need to capture the code without knowing exactly when it will land. The default polling interval is 5 seconds, which means most codes appear within 5–10 seconds of delivery.

Start watching by running the command with no arguments. The CLI keeps polling until you press Ctrl+C. Each code is timestamped and printed alongside the sender address.

nylas otp watch

Watching for OTP codes... (Ctrl+C to stop)

  [14:23:05] 847291  — noreply@github.com
  [14:31:18] 193047  — security@google.com

The --interval flag sets the polling frequency in seconds. A shorter interval catches codes faster but sends more API requests. For most use cases, 5–10 seconds balances speed and efficiency.

nylas otp watch --interval 5

Combine --no-copy with a custom interval when running in a terminal where clipboard access isn't available, such as a remote SSH session or a Docker container.

nylas otp watch --no-copy --interval 10

5. List configured accounts

The nylas otp list command shows every email account connected to the Nylas CLI, along with its provider type. Developers who work with multiple accounts — for example, a personal Gmail and a corporate Outlook tenant — can use this to confirm which accounts are available before fetching codes. The CLI supports up to 6 provider types in a single configuration.

Each row in the output maps an email address to its detected provider. This makes it straightforward to identify which account to target when calling nylas otp get.

nylas otp list

  ACCOUNT                        PROVIDER
  user@gmail.com                 Gmail
  work@company.com               Outlook
  personal@icloud.com            iCloud

To fetch a code from a specific account instead of the default, pass the email address as an argument. This avoids ambiguity when multiple accounts have recent OTP emails.

nylas otp get user@gmail.com

6. Use OTP codes in scripts

The --raw flag turns nylas otp get into a composable building block for shell scripts, CI/CD pipelines, and end-to-end test harnesses. Because it outputs only the bare code with no formatting, the result can be captured directly in a variable with standard command substitution.

The script below demonstrates a full OTP verification flow: it triggers a password-reset email via an API call, waits 3 seconds for delivery, extracts the code, and submits it. In production CI environments, this pattern replaces 20–50 lines of custom provider-specific polling logic.

#!/usr/bin/env bash
set -euo pipefail

EMAIL="user@example.com"
API_BASE="https://app.example.com/api"

# Trigger the OTP email
curl -s -X POST "$API_BASE/auth/send-otp" \
  -H "Content-Type: application/json" \
  -d "{"email": "$EMAIL"}"

# Wait for delivery, then grab the code
sleep 3
CODE=$(nylas otp get --raw)

echo "Got code: $CODE"

# Submit the code
curl -s -X POST "$API_BASE/auth/verify-otp" \
  -H "Content-Type: application/json" \
  -d "{"email": "$EMAIL", "code": "$CODE"}"

echo "Verified."

In CI/CD environments like GitHub Actions, store the Nylas API key as a repository secret. The example below shows a 2-step workflow: the first step configures authentication, and the second runs the OTP test script. This approach keeps credentials out of source control entirely.

# GitHub Actions example
- name: Authenticate Nylas CLI
  run: nylas auth config --api-key ${{ secrets.NYLAS_API_KEY }}

- name: Run OTP flow test
  run: ./scripts/test-otp-flow.sh

The CLI reads the NYLAS_API_KEY environment variable automatically, so you can skip the nylas auth config step in ephemeral CI environments. This is the recommended approach for containers and serverless runners where the filesystem doesn't persist between jobs.

# Set env var — CLI picks it up automatically
export NYLAS_API_KEY=your_key
CODE=$(nylas otp get --raw)

Next steps

E2E email testing with Playwright — combine OTP extraction with full end-to-end test flows
Email as identity for AI agents — authenticate AI workflows via email-based verification
PowerShell email in CI/CD — Windows-native automation for email-dependent pipelines
Getting started with Nylas CLI — connect your first account in under 5 minutes
Command reference — every flag, subcommand, and example
RFC 6238 -- TOTP: Time-Based One-Time Password — the spec for the time-windowed codes you're extracting from email