If they're sending the OTP to the user, its because the OTP is being checked client side, so you might have been able to just call the authentication endpoint directly.
replies(1):
Perhaps a hold over from testing (where you don't always want to send the SMS). Maybe just the habit/pattern of returning the item you just created in the DB and not remembering to mark the field as private. There are a whole slew easy foot-guns. I'm not defending it but I doubt it's to do client-side validation, that would be insanity. It's easy enough to not notice a body on a response that you don't care about client side, "200? Cool, keep moving". It's still crazy they were returning the OTP and I sure hope it wasn't on purpose.