Oh my god. Dude.

Here’s how an API works, alright? YOU send a request to a service and the service then sends back a response. You can tweak YOUR request parameters to hope to get a different response which is what one would do. But you can’t change the “response” on your own machine. That’s literally what I said.

And yes, I’ve used Burpsuite before and it doesn’t allow you to control how the service responds. Maybe you found a flaw in how it accepts the requests and you used something to get your desired response but you. can’t. decide. what. the. server. will. respond. with. by. just. “changing”. the. response.

As for the OTP — no one asked the stupid question because, you’re correct for one, that if you’ve got the endpoint then you can just bombard it with different combinations of OTPs. But what you just said you did, brute force your way through 6 million different unique keys (and yes, 6 million since 000001 is also a unique code), I’m sure it was very feasible.

And yeah, I will criticise your English, man. It’s not because that this was your first write-up, it’s because it just overall isn’t good. It was really painful to read the fiction. Never said you needed “perfect” English, just something that’s understandable.

But anyway, man, you’ve got a great career in Bollywood. I’ll provide you with a number for an English teacher and perhaps throw in a book —