Advanced Time-Based One-Time Password (TOTP) Library
Totpify is a powerful library I built for generating and verifying Time-Based One-Time Passwords (TOTP), following RFC 6238. It's perfect for adding two-factor authentication to your apps, with support for different hash algorithms, QR code generation, and solid error handling.
Here's what the live code generator looks like in action:
Just grab it from npm:
# Using npm
npm install totpify
# Using yarn
yarn add totpify
# Using pnpm
pnpm add totpify
const { generateTOTP } = require('totpify');
// Generate a code using the default SHA-1 algorithm
const secret = 'JBSWY3DPEHPK3PXP';
const code = generateTOTP(secret);
console.log(`TOTP Code: ${code}`);
// With options
const codeWithOptions = generateTOTP(secret, {
algorithm: 'SHA-256',
digits: 8,
period: 30
});
console.log(`TOTP Code (8-digit, SHA-256): ${codeWithOptions}`);
const { verifyTOTP } = require('totpify');
const secret = 'JBSWY3DPEHPK3PXP';
const userProvidedCode = '123456';
const result = verifyTOTP(userProvidedCode, secret, {
window: 1, // Allow 1 step before and after (30 seconds each)
algorithm: 'SHA-1'
});
if (result.valid) {
console.log('Code is valid!');
console.log(`Time drift: ${result.delta} periods`);
} else {
console.log('Invalid code!');
}
const { generateQRCode } = require('totpify');
const secret = 'JBSWY3DPEHPK3PXP';
// Generate a QR code for the user to scan with their authenticator app
generateQRCode(secret, {
issuer: 'My App',
account: 'user@example.com'
}).then(dataUrl => {
console.log('QR Code (data URL):', dataUrl);
// You can embed this data URL in an <img> tag
});
generateTOTP(secret, options?)Generates a Time-Based One-Time Password.
Parameters:
secret (string | Uint8Array): Base32 encoded secret or raw bytesoptions (object, optional):
algorithm ('SHA-1' | 'SHA-256' | 'SHA-512'): Hash algorithm (default: 'SHA-1')digits (number): Number of digits (default: 6)period (number): Token validity period in seconds (default: 30)timestamp (number): Custom timestamp for code generation (default: current time)Returns: string - The generated TOTP code
verifyTOTP(token, secret, options?)Verifies a Time-Based One-Time Password.
Parameters:
token (string): The TOTP code to verifysecret (string | Uint8Array): Base32 encoded secret or raw bytesoptions (object, optional):
algorithm ('SHA-1' | 'SHA-256' | 'SHA-512'): Hash algorithm (default: 'SHA-1')digits (number): Number of digits (default: 6)period (number): Token validity period in seconds (default: 30)window (number): Time drift window (default: 1)timestamp (number): Custom timestamp for verification (default: current time)Returns: object - { valid: boolean, delta?: number }
generateQRCode(secret, options?)Generates a QR code for easy setup with authenticator apps.
Parameters:
secret (string): Base32 encoded secretoptions (object, optional):
issuer (string): Issuer name (default: 'Totpify')account (string): Account name (default: 'user')width (number): QR code width (default: 256)height (number): QR code height (default: 256)Returns: Promise - Data URL containing the QR code
generateRandomSecret(length?)Generates a random Base32 secret key.
Parameters:
length (number, optional): Length of the secret key in bytes (default: 20)Returns: string - Base32 encoded random secret
The CLI tool is super handy for quick tests or scripting:
# Show help
totpify help
# Generate a TOTP code
totpify generate JBSWY3DPEHPK3PXP
# Generate with options
totpify generate JBSWY3DPEHPK3PXP --algorithm=SHA-256 --digits=8
# Verify a code
totpify verify 123456 JBSWY3DPEHPK3PXP
# Create a QR code
totpify qrcode JBSWY3DPEHPK3PXP --issuer=MyApp --account=user@example.com output.png
# Generate a random secret
totpify create-secret
Totpify works great with all the popular authenticator apps and services:
const { generateTOTP } = require('totpify');
// Generate a code with a 60-second period instead of the default 30 seconds
const code = generateTOTP('JBSWY3DPEHPK3PXP', { period: 60 });
const { generateTOTP } = require('totpify');
const secret = 'JBSWY3DPEHPK3PXP';
// SHA-1 (default, compatible with most services)
const sha1Code = generateTOTP(secret, { algorithm: 'SHA-1' });
// SHA-256 (more secure)
const sha256Code = generateTOTP(secret, { algorithm: 'SHA-256' });
// SHA-512 (most secure)
const sha512Code = generateTOTP(secret, { algorithm: 'SHA-512' });
console.log(`SHA-1: ${sha1Code}`);
console.log(`SHA-256: ${sha256Code}`);
console.log(`SHA-512: ${sha512Code}`);
Got ideas? Contributions are welcome! Feel free to open issues or submit PRs.
git checkout -b feature/cool-feature)git commit -m 'Add some cool feature')git push origin feature/cool-feature)This project is licensed under the MIT License - see the LICENSE file for details.
Made with ❤️ by Wick Studio
FAQs
Advanced TOTP Library with enhanced security features and algorithm support
The npm package totpify receives a total of 3 weekly downloads. As such, totpify popularity was classified as not popular.
We found that totpify demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.
Security News
Axios compromise traced to social engineering, showing how attacks on maintainers can bypass controls and expose the broader software supply chain.
Security News
Node.js has paused its bug bounty program after funding ended, removing payouts for vulnerability reports but keeping its security process unchanged.