https://github.com/bad-antics/TOTP.jl
RFC 4226/6238 HOTP & TOTP implementation for Julia — Time-based One-Time Passwords for 2FA
https://github.com/bad-antics/TOTP.jl
Last synced: 2 months ago
JSON representation
RFC 4226/6238 HOTP & TOTP implementation for Julia — Time-based One-Time Passwords for 2FA
- Host: GitHub
- URL: https://github.com/bad-antics/TOTP.jl
- Owner: bad-antics
- License: mit
- Created: 2026-03-15T16:33:37.000Z (3 months ago)
- Default Branch: main
- Last Pushed: 2026-03-15T17:19:30.000Z (3 months ago)
- Last Synced: 2026-03-16T05:43:20.189Z (3 months ago)
- Language: Julia
- Size: 9.77 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-julia-security - TOTP.jl - RFC 4226/6238 compliant HOTP and TOTP one-time password generation and verification. (Cryptography / Cryptographic Utilities)
README
# TOTP.jl
[](https://github.com/bad-antics/TOTP.jl/actions)
RFC 4226 (HOTP) and RFC 6238 (TOTP) implementation for Julia — Time-based and HMAC-based One-Time Passwords for two-factor authentication.
## Features
- **HOTP** (RFC 4226) — HMAC-based One-Time Passwords
- **TOTP** (RFC 6238) — Time-based One-Time Passwords
- **Verification** with configurable time windows and constant-time comparison
- **Base32** encoding/decoding (RFC 4648)
- **Secret generation** with cryptographically secure random bytes
- **OTPAuth URI** generation for QR code provisioning (Google Authenticator, Authy, etc.)
- **Multiple hash algorithms** — SHA-1, SHA-256, SHA-512
- **Zero dependencies** beyond Julia stdlib (SHA.jl)
## Installation
```julia
using Pkg
Pkg.add(url="https://github.com/bad-antics/TOTP.jl")
```
## Quick Start
```julia
using TOTP
# Generate a random secret
secret = generate_secret()
# Get the current TOTP code
code = totp(secret)
println("Your code: $code")
# Verify a code (with ±1 time step window)
is_valid = verify_totp(secret, code)
println("Valid: $is_valid")
# Generate URI for authenticator apps
uri = otpauth_uri(secret, "user@example.com", "MyApp")
println(uri)
# => otpauth://totp/MyApp:user%40example.com?secret=...&issuer=MyApp
```
## API Reference
### TOTP
```julia
totp(secret; digits=6, period=30, algorithm=:SHA1, time=time())
```
Generate a time-based OTP. `secret` can be raw bytes (`Vector{UInt8}`) or a Base32-encoded string.
### HOTP
```julia
hotp(secret, counter; digits=6, algorithm=:SHA1)
```
Generate an HMAC-based OTP for the given counter value.
### Verification
```julia
verify_totp(secret, code; window=1, digits=6, period=30, algorithm=:SHA1)
verify_hotp(secret, code, counter; look_ahead=0, digits=6, algorithm=:SHA1)
```
Verify OTP codes. `verify_totp` checks ±`window` time steps. `verify_hotp` returns `(valid::Bool, matched_counter::Int)`.
### Key Management
```julia
secret = generate_secret(nbytes=20) # Base32-encoded random key
uri = otpauth_uri(secret, "user@example.com", "MyApp")
```
### Base32
```julia
encoded = base32_encode("Hello") # => "JBSWY3DP"
decoded = base32_decode("JBSWY3DP") # => UInt8[0x48, 0x65, 0x6c, 0x6c, 0x6f]
```
## RFC Compliance
Validated against all test vectors from:
- [RFC 4226](https://tools.ietf.org/html/rfc4226) — HOTP (Appendix D)
- [RFC 6238](https://tools.ietf.org/html/rfc6238) — TOTP (Appendix B)
- [RFC 4648](https://tools.ietf.org/html/rfc4648) — Base32 Encoding
## License
MIT