diff --git a/backend/api/request-otp.php b/backend/api/request-otp.php
index 319461d..9146334 100644
--- a/backend/api/request-otp.php
+++ b/backend/api/request-otp.php
@@ -97,8 +97,8 @@ if (!$rateLimit->checkIp($clientIp, 'request-otp', 30, 60)) {
     exit;
 }
 
-// Generate 3-digit OTP (cryptographically secure)
-$otpCode = str_pad((string) random_int(0, 999), 3, '0', STR_PAD_LEFT);
+// Generate 3-digit OTP (cryptographically secure, always between 100 and 999)
+$otpCode = (string) random_int(100, 999);
 
 // Determine delivery method
 $method = 'flash_call'; // Default fallback
diff --git a/backend/api/verify-otp.php b/backend/api/verify-otp.php
index e0140f9..af241d1 100644
--- a/backend/api/verify-otp.php
+++ b/backend/api/verify-otp.php
@@ -57,8 +57,8 @@ if (!preg_match('/^\+[1-9]\d{6,14}$/', $phone)) {
     exit;
 }
 
-// Validate OTP format (4 digits)
-if (!preg_match('/^\d{4}$/', $otp)) {
+// Validate OTP format (3 or 4 digits)
+if (!preg_match('/^\d{3,4}$/', $otp)) {
     http_response_code(400);
     echo json_encode(['success' => false, 'message' => 'invalid_otp_format']);
     RequestLogger::log('verify-otp', 'POST', $input, 400, 'invalid_otp_format');