One line summary. GSTN's use of OTP for authentication is not very secure. GSTN should use a standard like OAuth
The GST Network's (GSTN) version 0.2 draft API propose using a One-Time Password (OTP) for a Software to authenticate on behalf of a Tax Payer (user). The design of the Authentication API is documented here. The Authentication API is well designed to ensure that data communicated between any software and GSTN in secure.
However, the API uses an OTP to authenticate software on behalf of a user. Here is a relevant quote from the API document.