{"id":13510243,"url":"https://github.com/hectorm/otpauth","last_synced_at":"2025-12-12T04:33:10.111Z","repository":{"id":15421289,"uuid":"77928713","full_name":"hectorm/otpauth","owner":"hectorm","description":"One Time Password (HOTP/TOTP) library for Node.js, Deno, Bun and browsers.","archived":false,"fork":false,"pushed_at":"2025-04-21T13:16:00.000Z","size":8582,"stargazers_count":1155,"open_issues_count":2,"forks_count":61,"subscribers_count":10,"default_branch":"master","last_synced_at":"2025-04-24T00:53:45.851Z","etag":null,"topics":["auth","authenticator","browser","bun","deno","google-authenticator","hotp","javascript","node","node-js","nodejs","otp","otpauth","security","totp","two-factor","two-factor-authentication","two-step","two-step-authentication"],"latest_commit_sha":null,"homepage":"https://hectorm.github.io/otpauth/","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hectorm.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"hectorm","custom":"https://hector.molinero.dev/donate"}},"created_at":"2017-01-03T15:24:03.000Z","updated_at":"2025-04-23T23:28:24.000Z","dependencies_parsed_at":"2023-11-07T01:37:35.264Z","dependency_job_id":"c3f8f873-5dc5-436a-912b-82659d6eb8b9","html_url":"https://github.com/hectorm/otpauth","commit_stats":{"total_commits":949,"total_committers":6,"mean_commits":"158.16666666666666","dds":0.5216016859852477,"last_synced_commit":"ce9a5c0690eaf79ea57df02d81bedd8e2f7926df"},"previous_names":["zant95/otpauth"],"tags_count":105,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hectorm%2Fotpauth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hectorm%2Fotpauth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hectorm%2Fotpauth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hectorm%2Fotpauth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hectorm","download_url":"https://codeload.github.com/hectorm/otpauth/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250541004,"owners_count":21447427,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["auth","authenticator","browser","bun","deno","google-authenticator","hotp","javascript","node","node-js","nodejs","otp","otpauth","security","totp","two-factor","two-factor-authentication","two-step","two-step-authentication"],"created_at":"2024-08-01T02:01:30.325Z","updated_at":"2025-12-12T04:33:05.048Z","avatar_url":"https://github.com/hectorm.png","language":"JavaScript","readme":"[![Last version](https://img.shields.io/github/v/tag/hectorm/otpauth?label=version)](https://github.com/hectorm/otpauth/tags)\n[![npm downloads](https://img.shields.io/npm/dm/otpauth?label=npm%20downloads)](https://www.npmjs.com/package/otpauth)\n\n\u003cp align=\"center\"\u003e\n  \u003cimg alt=\"OTPAuth\" src=\"./resources/logo/OTPAuth-Color-Reduced.svg\" height=\"192\" /\u003e\n\u003c/p\u003e\n\n# OTPAuth\n\nOne Time Password library for Node.js, Deno, Bun and browsers.\n\nIt supports the generation and validation of\nHMAC-Based One-Time Passwords (HOTP) as specified in [RFC 4226](https://datatracker.ietf.org/doc/html/rfc4226) and\nTime-Based One-Time Passwords (TOTP) as specified in [RFC 6238](https://datatracker.ietf.org/doc/html/rfc6238).\nFrequently used in Multi-Factor Authentication (MFA) / Two-Factor Authentication (2FA) systems.\n\n\u003e [!TIP]\n\u003e You can try the library with the demo application available at [otpauth.molinero.dev](https://otpauth.molinero.dev).\n\u003e\n\u003e If you wish to interact with the library in your browser console, the following snippet can be used:\n\u003e\n\u003e ```javascript\n\u003e const OTPAuth = await import(\"otpauth\");\n\u003e ```\n\n## Usage\n\nThis section presents an overview of the most common usage patterns, along with some security recommendations.\n\n### [Node.js / Bun](https://www.npmjs.com/package/otpauth)\n\n```javascript\nimport * as OTPAuth from \"otpauth\";\n\n// Create a new TOTP object.\nlet totp = new OTPAuth.TOTP({\n  // Provider or service the account is associated with.\n  issuer: \"ACME\",\n  // Account identifier.\n  label: \"Alice\",\n  // Algorithm used for the HMAC function, possible values are:\n  //   \"SHA1\", \"SHA224\", \"SHA256\", \"SHA384\", \"SHA512\",\n  //   \"SHA3-224\", \"SHA3-256\", \"SHA3-384\" and \"SHA3-512\".\n  algorithm: \"SHA1\",\n  // Length of the generated tokens.\n  digits: 6,\n  // Interval of time for which a token is valid, in seconds.\n  period: 30,\n  // Arbitrary key encoded in base32 or `OTPAuth.Secret` instance\n  // (if omitted, a cryptographically secure random secret is generated).\n  secret: \"US3WHSG7X5KAPV27VANWKQHF3SH3HULL\",\n  //   or: `OTPAuth.Secret.fromBase32(\"US3WHSG7X5KAPV27VANWKQHF3SH3HULL\")`\n  //   or: `new OTPAuth.Secret()`\n});\n\n// Unless you know what you are doing, it is recommended to use the default\n// values for the algorithm, digits, and period options, as these are the most\n// common values used by most services.\n\n// Generate a cryptographically secure random secret.\n// It is NOT recommended to use less than 128 bits (16 bytes).\nlet secret = new OTPAuth.Secret({ size: 20 });\n\n// Generate a token (returns the current token as a string).\nlet token = totp.generate();\n\n// Validate a token (returns the token delta or null if it is not found in the\n// search window, in which case it should be considered invalid).\n//\n// A search window is useful to account for clock drift between the client and\n// server; however, it should be kept as small as possible to prevent brute\n// force attacks. In most cases, a value of 1 is sufficient. Furthermore, it is\n// essential to implement a throttling mechanism on the server.\n//\n// For further details on the security considerations, it is advised to refer\n// to Section 7 of RFC 4226 and Section 5 of RFC 6238:\n//   https://datatracker.ietf.org/doc/html/rfc4226#section-7\n//   https://datatracker.ietf.org/doc/html/rfc6238#section-5\nlet delta = totp.validate({ token, window: 1 });\n\n// Get the counter value (number of intervals since the Unix epoch).\n// Useful for implementing techniques against token reuse during the validity\n// period.\nlet counter = totp.counter();\n\n// Get the remaining milliseconds until the current token changes.\nlet remaining = totp.remaining();\n\n// Convert to Google Authenticator key URI format.\n// Usually the URI is encoded in a QR code that can be scanned by the user.\n// This functionality is outside the scope of the project, but there are many\n// libraries that can be used for this purpose, such as npmjs.com/package/qr\nlet uri = totp.toString();\n//   or:      `OTPAuth.URI.stringify(totp)`\n//   returns: `otpauth://totp/ACME:Alice?issuer=ACME\u0026secret=US3WHSG7X5KAPV27VANWKQHF3SH3HULL\u0026algorithm=SHA1\u0026digits=6\u0026period=30`\n\n// Convert from Google Authenticator key URI format.\ntotp = OTPAuth.URI.parse(uri);\n```\n\n### [Deno](https://jsr.io/@hectorm/otpauth)\n\n```javascript\nimport * as OTPAuth from \"jsr:@hectorm/otpauth\";\n\n// Same as above.\n```\n\n### [Browsers (ESM)](https://www.jsdelivr.com/package/npm/otpauth)\n\n```html\n\u003cscript type=\"importmap\"\u003e\n  {\n    \"imports\": { \"otpauth\": \"https://cdn.jsdelivr.net/npm/otpauth@%VERSION%/dist/otpauth.esm.min.js\" },\n    \"integrity\": { \"https://cdn.jsdelivr.net/npm/otpauth@%VERSION%/dist/otpauth.esm.min.js\": \"%HASH%\" }\n  }\n\u003c/script\u003e\n\u003cscript type=\"module\"\u003e\n  import * as OTPAuth from \"otpauth\";\n\n  // Same as above.\n\u003c/script\u003e\n```\n\n### [Browsers (UMD)](https://www.jsdelivr.com/package/npm/otpauth)\n\n```html\n\u003cscript\n  src=\"https://cdn.jsdelivr.net/npm/otpauth@%VERSION%/dist/otpauth.umd.min.js\"\n  integrity=\"%HASH%\"\n  crossorigin=\"anonymous\"\n  referrerpolicy=\"no-referrer\"\n\u003e\u003c/script\u003e\n\u003cscript\u003e\n  // Same as above.\n\u003c/script\u003e\n```\n\n## Documentation\n\nFor additional information, please refer to the documentation page at [hectorm.github.io/otpauth/](https://hectorm.github.io/otpauth/).\n\n## License\n\n[MIT License](https://github.com/hectorm/otpauth/blob/master/LICENSE.md)\n© [Héctor Molinero Fernández](https://hector.molinero.dev/).\n","funding_links":["https://github.com/sponsors/hectorm","https://hector.molinero.dev/donate"],"categories":["JavaScript","Packages","browser"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhectorm%2Fotpauth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhectorm%2Fotpauth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhectorm%2Fotpauth/lists"}