This article clarifies whether users can verify their email address with an OTP instead of a magic link or email.
This is not supported out-of-the-box, and the recommended way is to use the Verification Email (using Link) template to verify the users.
The workaround would be to implement a new service to store that code and check if it’s the same code the user entered, and then call the Management API to validate their email. In essence, this is how the Email Verification (using Link) works, and there will be a need to implement the logic for using the code.
Moreover, there will also be the need to use a Post-Login Action that invalidates users’ access from logging in until they have verified their email with the code, which is triggered as soon as they try to log in with a non-verified email address.