https://github.com/yeojz/otplib
One Time Password (OTP) / 2FA for Node.js and Browser - Supports HOTP, TOTP and Google Authenticator
https://github.com/yeojz/otplib
2fa authenticator browser google-authenticator hmac hotp nodejs one-time-passwords otp two-factor two-factor-authentication
Last synced: 17 days ago
JSON representation
One Time Password (OTP) / 2FA for Node.js and Browser - Supports HOTP, TOTP and Google Authenticator
- Host: GitHub
- URL: https://github.com/yeojz/otplib
- Owner: yeojz
- License: mit
- Created: 2014-04-13T18:11:09.000Z (almost 12 years ago)
- Default Branch: main
- Last Pushed: 2026-01-21T16:22:55.000Z (22 days ago)
- Last Synced: 2026-01-22T04:17:18.099Z (21 days ago)
- Topics: 2fa, authenticator, browser, google-authenticator, hmac, hotp, nodejs, one-time-passwords, otp, two-factor, two-factor-authentication
- Language: TypeScript
- Homepage: https://otplib.yeojz.dev
- Size: 4.5 MB
- Stars: 2,168
- Watchers: 13
- Forks: 141
- Open Issues: 9
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Security: SECURITY.md
Awesome Lists containing this project
README
# otplib-repo
[](https://www.npmjs.com/package/otplib)
[](https://opensource.org/licenses/MIT)
[](https://www.npmjs.com/package/otplib)
[](https://github.com/yeojz/otplib)
TypeScript-first library for HOTP and TOTP / Authenticator with multi-runtime (Node, Bun, Deno, Browser) support via plugins.
A web based demo is available at [https://otplib.yeojz.dev](https://otplib.yeojz.dev).
## Features
- **Zero Configuration** - Works out of the box with sensible defaults
- **RFC Compliant** - RFC 6238 (TOTP) and RFC 4226 (HOTP)
- **TypeScript-First** - Full type definitions
- **Google Authenticator Compatible** - Full otpauth:// URI support
- **Plugin Interface** - Flexible plugin system for customising your cryptographic and base32 requirements (if you want to deviate from the defaults)
- **Cross-platform** - Tested against Node.js, Bun, Deno, and browsers
## Breaking Changes (v13)
> [!IMPORTANT]
> v13 is a complete rewrite with breaking changes:
>
> - **New**
> - **Security-audited plugins** — Default crypto uses `@noble/hashes` and `@scure/base`, both independently audited
> - **Cross-platform defaults** — Works out-of-the-box in Node.js, Bun, Deno, and browsers
> - **Full type safety** — Comprehensive TypeScript types with strict mode from the ground up
> - **Async-first API** — All operations are async by default; sync variants available for compatible plugins
> - **Removed**
> - **Separate authenticator package** — TOTP now covers all authenticator functionality
> - **Outdated plugins** — Legacy crypto adapters removed in favor of modern, audited alternatives
>
> See [Migration Guide](https://otplib.yeojz.dev/guide/v12-adapter.html) for details.
## Quick Start
```bash
# Node
npm install otplib
pnpm add otplib
yarn add otplib
```
```bash
# Other runtimes
bun add otplib
deno install npm:otplib
```
```typescript
import { generateSecret, generate, verify, generateURI } from "otplib";
// Generate a secret
const secret = generateSecret();
// Generate a TOTP token
const token = await generate({ secret });
// Verify a token
const result = await verify({ secret, token });
console.log(result.valid); // true
```
## Packages
| Package | Version | Downloads |
| :-------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------------------------------------------------------------------- |
| [`otplib`](./packages/otplib) | [](https://www.npmjs.com/package/otplib) | [](https://www.npmjs.com/package/otplib) |
| [`@otplib/core`](./packages/core) | [](https://www.npmjs.com/package/@otplib/core) | [](https://www.npmjs.com/package/@otplib/core) |
| [`@otplib/totp`](./packages/totp) | [](https://www.npmjs.com/package/@otplib/totp) | [](https://www.npmjs.com/package/@otplib/totp) |
| [`@otplib/hotp`](./packages/hotp) | [](https://www.npmjs.com/package/@otplib/hotp) | [](https://www.npmjs.com/package/@otplib/hotp) |
| [`@otplib/uri`](./packages/uri) | [](https://www.npmjs.com/package/@otplib/uri) | [](https://www.npmjs.com/package/@otplib/uri) |
| [`@otplib/plugin-base32-scure`](./packages/plugin-base32-scure) | [](https://www.npmjs.com/package/@otplib/plugin-base32-scure) | [](https://www.npmjs.com/package/@otplib/plugin-base32-scure) |
| [`@otplib/plugin-crypto-noble`](./packages/plugin-crypto-noble) | [](https://www.npmjs.com/package/@otplib/plugin-crypto-noble) | [](https://www.npmjs.com/package/@otplib/plugin-crypto-noble) |
| [`@otplib/plugin-crypto-node`](./packages/plugin-crypto-node) | [](https://www.npmjs.com/package/@otplib/plugin-crypto-node) | [](https://www.npmjs.com/package/@otplib/plugin-crypto-node) |
| [`@otplib/plugin-crypto-web`](./packages/plugin-crypto-web) | [](https://www.npmjs.com/package/@otplib/plugin-crypto-web) | [](https://www.npmjs.com/package/@otplib/plugin-crypto-web) |
## Documentation
Refer to the [Getting Started Guide](https://otplib.yeojz.dev/guide/getting-started), or check out the other sections in the guide:
- [Advanced Usage](https://otplib.yeojz.dev/guide/advanced-usage)
- [Runtime Compatibility](https://otplib.yeojz.dev/guide/runtime-compatibility)
- [Security Considerations](https://otplib.yeojz.dev/guide/security)
- [API Reference](https://otplib.yeojz.dev/api/)
## Contributing
See [CONTRIBUTING.md](./CONTRIBUTING.md) for development setup and guidelines.
## AI Usage Disclosure
Since v13, parts of the codebase, tests, and documentation have been refined with AI assistance, with all outputs reviewed by humans. See [CONTRIBUTING.md](./CONTRIBUTING.md#ai-usage-guidelines) for guidelines.
## License
[MIT](./LICENSE) © 2026 Gerald Yeo