npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

gen-totp

v3.0.1

Published

A time-based One-time Password generator that uses current time as a source of uniqueness, following RFC 6238.

Downloads

351

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

miladezzatmiladezzat

Keywords

otpgenerate-otptotpmobile-verification

Readme

Generate TOTP

npm version npm downloads

Time-based One-Time Password (TOTP) is an algorithm that generates a one-time password based on the current time. TOTP is an extension of the HMAC-based One-Time Password (HOTP) algorithm and is standardized in RFC 6238. For more details, see Wikipedia.

Table of Contents

Installation

You can install gen-totp via npm or yarn:

npm install gen-totp
# or
yarn add gen-totp

Usage

Basic Usage

import genTOTP from 'gen-totp';

const otp = genTOTP('test-key');
// Returns a 6-digit OTP by default
console.log(otp);

Customizing OTP Length

import genTOTP from 'gen-totp';

const otp = genTOTP('test-key', { digits: 4 });
// Returns a 4-digit OTP
console.log(otp);

Options & API

The genTOTP function accepts a key and an optional options object. By default the key is treated as UTF-8 text; use the encoding option to specify hex or base32 when needed.

  1. key: The secret key (default treated as UTF-8). To change how the key is interpreted set options.encoding to one of: utf8 (default), hex, base32.
  2. options: An optional object to customize OTP generation. The available options are detailed in the table below.

| Option | Type | Default | Description | |------------|--------|---------|--------------------------------------------------------------------------------------------------| | digits | number | 6 | The number of digits in the generated OTP. | | period | number | 30 | The time period (in seconds) after which a new OTP is generated. | | algorithm | string | 'SHA-1' | The hashing algorithm used to generate the OTP. Supported algorithms include: | | | | | - SHA-1 | | | | | - SHA-224 | | | | | - SHA-256 | | | | | - SHA-384 | | | | | - SHA-512 | | | | | - SHA3-224 | | | | | - SHA3-256 | | | | | - SHA3-384 | | | | | - SHA3-512 | | | | | For more details, refer to the JsSHA documentation. |

Key format and encodings

genTOTP accepts keys in three encodings (default utf8):

  • utf8 (default): any UTF-8 string (letters, numbers, symbols, emoji).
  • hex: accepts 0-9 and a-f (case-insensitive). Invalid input throws Invalid hex character in key.
  • base32: RFC-4648 base32 (A–Z and 2–7). Padding = is stripped; invalid characters throw Invalid base32 character: <char>.

Examples:

  • UTF-8: mySecureKey123!, secretKey你好, emojiKey😊🔑
  • Hex: deadbeef1234, 01a2b3c4d5e6f7
  • Base32: JBSWY3DPEHPK3PXP, GEZDGNBVGY3TQOJQ

Deterministic testing & timestamp units

genTOTP accepts an optional third argument timestamp in unix milliseconds for deterministic outputs (used heavily in tests). Example:

genTOTP('my-secret', { digits: 6, period: 30 }, Date.parse('2021-01-01T00:00:00Z'))

Input validation & verification defaults

  • encoding: 'hex' will validate that the key contains only hex characters and throw Invalid hex character in key when invalid.
  • period must be a positive number; otherwise Invalid period; must be a positive number is thrown.
  • digits must be an integer between 1 and 10; otherwise Invalid digits; must be an integer between 1 and 10 is thrown.

Verification defaults:

  • verifyTOTP default window = 1 (checks previous/current/next period).
  • verifyHOTP default window = 10 and returns { newCounter } on success or null on failure.

See src/index.ts for exact behavior and error messages.

Features

  • genTOTP(key, options?, timestamp?) — generate TOTP (default: period=30, digits=6, algorithm='SHA-1', encoding='utf8'). timestamp is unix milliseconds for deterministic output.
  • verifyTOTP(key, token, options?, timestamp?) — verify a TOTP; returns true|false. Default verification window = 1.
  • genHOTP(key, counter, options?) — generate HOTP given a counter.
  • verifyHOTP(key, token, counter, options?) — verify HOTP; returns { newCounter } on success or null on failure. Default window = 10.
  • base32ToHex(input) — RFC-4648-like base32 decoder used internally; throws Invalid base32 character: <char> on invalid input.
  • bytesToBase32(bytes) — encode raw bytes to base32 (used by generateSecretKey).
  • generateSecretKey(length = 20) — generate a cryptographically-secure base32 secret (default 20 bytes → 32 base32 chars).
  • generateOtpAuthUri(key, { accountName, issuer, ... }) — build an otpauth://totp/... URI for QR codes; requires a valid base32 key and throws Invalid base32 key for otpauth URI for invalid input.
  • Supported algorithms: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512 (see FixedLengthVariantType).
  • Key encodings: utf8 (default), hex (validated; throws Invalid hex character in key), base32 (uppercased, = padding stripped).
  • Exports: default export is genTOTP; named exports include base32ToHex, bytesToBase32, genHOTP, verifyHOTP, verifyTOTP, generateSecretKey, generateOtpAuthUri.

Documentation

For more detailed documentation, visit the Official Documentation .

Contributing

Contributions are welcome! If you have any bug reports, suggestions, or feature requests, please open an issue on GitHub.

To contribute:

  1. Fork the repository
  2. Create a new feature branch ( git checkout -b feature/new-feature )
  3. Commit your changes ( git commit -m 'Add new feature' )
  4. Push to the branch ( git push origin feature/new-feature )
  5. Create a new Pull Request Make sure to follow the Contributor Covenant Code of Conduct when participating in the project.