One Time Password (HOTP/TOTP) library for Node.js, Deno, Bun and browsers
The otpauth npm package is a library for generating and validating one-time passwords (OTPs) using the HOTP (HMAC-based One-Time Password) and TOTP (Time-based One-Time Password) algorithms. It is useful for implementing two-factor authentication (2FA) in applications.
Generate TOTP
This feature allows you to generate a time-based one-time password (TOTP). The code sample demonstrates how to create a TOTP instance with a secret key and generate a TOTP.
const { TOTP } = require('otpauth');
const totp = new TOTP({ secret: 'KVKFKRCPNZQUYMLXOVYDSQKJKZDTSRLD' });
console.log(totp.generate());Validate TOTP
This feature allows you to validate a time-based one-time password (TOTP). The code sample demonstrates how to create a TOTP instance, generate a TOTP, and validate it.
const { TOTP } = require('otpauth');
const totp = new TOTP({ secret: 'KVKFKRCPNZQUYMLXOVYDSQKJKZDTSRLD' });
const token = totp.generate();
console.log(totp.validate({ token }));Generate HOTP
This feature allows you to generate an HMAC-based one-time password (HOTP). The code sample demonstrates how to create an HOTP instance with a secret key and generate an HOTP using a counter.
const { HOTP } = require('otpauth');
const hotp = new HOTP({ secret: 'KVKFKRCPNZQUYMLXOVYDSQKJKZDTSRLD' });
console.log(hotp.generate({ counter: 1 }));Validate HOTP
This feature allows you to validate an HMAC-based one-time password (HOTP). The code sample demonstrates how to create an HOTP instance, generate an HOTP, and validate it using a counter.
const { HOTP } = require('otpauth');
const hotp = new HOTP({ secret: 'KVKFKRCPNZQUYMLXOVYDSQKJKZDTSRLD' });
const token = hotp.generate({ counter: 1 });
console.log(hotp.validate({ token, counter: 1 }));Speakeasy is a library for generating and verifying one-time passwords (OTPs) using both HOTP and TOTP algorithms. It provides similar functionality to otpauth but also includes additional features such as QR code generation for easier 2FA setup.
notp is a simple library for generating and verifying one-time passwords (OTPs) using the HOTP and TOTP algorithms. It is lightweight and easy to use, making it a good alternative to otpauth for basic OTP needs.
otp-generator is a library focused on generating one-time passwords (OTPs) with customizable length and character sets. While it does not provide validation functionality, it is useful for generating OTPs in various formats.
One Time Password (HOTP/TOTP) library for Node.js, Deno, Bun and browsers.
import * as OTPAuth from "otpauth";
// Create a new TOTP object.
let totp = new OTPAuth.TOTP({
// Provider or service the account is associated with.
issuer: "ACME",
// Account identifier.
label: "AzureDiamond",
// Algorithm used for the HMAC function.
algorithm: "SHA1",
// Length of the generated tokens.
digits: 6,
// Interval of time for which a token is valid, in seconds.
period: 30,
// Arbitrary key encoded in base32 or OTPAuth.Secret instance
// (if omitted, a cryptographically secure random secret is generated).
secret: "NB2W45DFOIZA", // or `OTPAuth.Secret.fromBase32("NB2W45DFOIZA")` or `new OTPAuth.Secret()`
});
// A cryptographically secure random secret can also be generated with:
let secret = new OTPAuth.Secret({ size: 20 });
// Generate a token (returns the current token as a string).
let token = totp.generate();
// Validate a token (returns the token delta or null if it is not found in the
// search window, in which case it should be considered invalid).
let delta = totp.validate({ token, window: 1 });
// Get the remaining seconds until the current token changes.
let seconds = totp.period - (Math.floor(Date.now() / 1000) % totp.period);
// Convert to Google Authenticator key URI format (usually the URI is encoded
// in a QR code that can be scanned by the user. This functionality is outside
// the scope of the project, but there are many libraries that can be used for
// this purpose).
//
// otpauth://totp/ACME:AzureDiamond?issuer=ACME&secret=NB2W45DFOIZA&algorithm=SHA1&digits=6&period=30
let uri = totp.toString(); // or 'OTPAuth.URI.stringify(totp)'
// Convert from Google Authenticator key URI format.
totp = OTPAuth.URI.parse(uri);
import * as OTPAuth from "https://deno.land/x/otpauth@VERSION/dist/otpauth.esm.js";
// Same as above.
import * as OTPAuth from "otpauth";
// Same as above.
<script src="https://cdnjs.cloudflare.com/ajax/libs/otpauth/VERSION/otpauth.umd.min.js"></script>
<script>
// Same as above.
</script>
See the documentation page.
In Node.js, the same algorithms as
Crypto.createHmac
function are supported, since it is used internally. In Deno, Bun and browsers, the SHA1, SHA224, SHA256, SHA384,
SHA512, SHA3-224, SHA3-256, SHA3-384 and SHA3-512 algorithms are supported by using the
@noble/hashes library.
FAQs
One Time Password (HOTP/TOTP) library for Node.js, Deno, Bun and browsers
We found that otpauth demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.