A Lightweight Email–OTP Access Gate with Multi-Key Rate Limiting for Institutional LLM Chatbots in Low-Code Orchestration

Institutional LLM chatbots are frequently deployed before enterprise single sign-on (SSO) is available, yet still require baseline access control, cost containment, and abuse prevention. This paper presents a pragmatic access-gating blueprint implementable in low-code orchestration platforms: (i) endpoint-specific, per-identity rate limiting composed across multiple keys (session/user id, email, and IP); (ii) eligibility enforcement via institutional email-domain allowlists with hardened normalization; and (iii) email-delivered one-time passcodes (OTP) to verify mailbox control before enabling chat functionality. Beyond describing control flow and state, we make security-critical choices explicit and standards-aligned (CSPRNG OTP generation; hashed-at-rest verifiers using HMAC with per-issuance nonce, explicit domain separation “context”, and key identifiers; constant-time comparisons; TTL/attempt limits; single-active issuance with atomic rotation; session fixation defenses; CSRF-safe submit endpoints; key management and rotation). We quantify an online-guessing upper bound under stated limits and discuss why OTP spraying dominates risk, motivating anomaly-driven greylisting and multi-key limiter composition suitable for shared-IP campus environments. To reduce reliance on opaque low-code trust anchors, we provide a vendor-agnostic platform verification checklist and a reference external state-store pattern with signed, replay-resistant, monotonic state transitions and revocation semantics. Finally, we position email-OTP gates as a transitional control within broader enterprise LLM security posture (OWASP and participant-aware access control), and give a concrete migration roadmap toward stronger identity mechanisms (OIDC/OAuth, TOTP, and WebAuthn). The contribution is a systems design and operational blueprint rather than a novel algorithm or empirical study.