npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

ltpa

v3.2.0

Published

Ltpa token generation and validation

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

markusbergmarkusberg

Keywords

authenticationibmlotusltpatokenvalidationwebsphere

Readme

ltpa

node.js build coverage version license downloads

A small library for generating and validating ltpa tokens. Based on the IBM specification.

Who is this for?

For developers integrating Node.js applications with the world of IBM Domino and/or Websphere.

Since version 2.0, this module is strictly ESmodule. If you require CommonJS, you can still use the 1.x versions.

Retrieving the server secret

In IBM Domino, the server secret can be found in the names.nsf database, ($WebSSOConfigs) view, LTPA_DominoSecret field.

Getting the module

$ npm install ltpa

or clone it from github:

$ git clone https://github.com/markusberg/ltpa.git

API

The full API documentation is automatically generated by TypeDoc from the JSDoc comments.

Here's a brief description of the API. Normally you'll only use a few of these functions. See examples below.

  • setSecrets(secrets: Secrets): Add your server secrets to the library, for later use in validation and signing of tokens
  • refresh(token: string, domain: string): Validate provided token, and return a fresh token
  • generateUserNameBuf(userName: string): Generate a userName Buffer. Currently hardcoded to CP-850, but the true char encoding is LMBCS
  • generate(userNameBuf: Buffer, domain: string): Generate a Base64-encoded Ltpa token
  • setValidity(seconds: number): Set how long a generated token is valid. Default is 5400 seconds (90 minutes).
  • setStrictExpirationValidation(strict: boolean): When set to true (default since v3.0.0), token expiration validation will check the actual validation timestamp in the token instead of the calculated expiration.
  • setGracePeriod(seconds: number): Set the amount of time outside a ticket's validity that we will still accept it. This time is also added to the validity of tokens that are generated. Default is 300 seconds (5 minutes).
    NOTE: since the grace period is added both on token generation, and during validation, the actual grace period is double what is set here.
  • getUserName(token: string): Retrieve the username as a string from the provided token. No validation of the token is performed
  • getUserNameBuf(token: string): Retrieve the username as a Buffer from the provided token. No validation of the token is performed
  • validate(token: string, domain: string): Validate provided token. Throws an error if validation fails

Example 1

These examples are for Express, but the functionality should be easy to adapt to Koa or other frameworks.

Add the dependency and create a simple middleware:

import { getUserName, refresh, setSecrets } from 'ltpa'
import { NextFunction, Request, Response } from 'express'

setSecrets({
  'example.com': 'AAECAwQFBgcICQoLDA0ODxAREhM=',
})

/**
 * Express Middleware
 * Authenticate user by verifying the provided LtpaToken cookie
 */
export function mwLtpaAuth(req: Request, res: Response, next: NextFunction) {
  try {
    const ltpaToken = refresh(req.cookies.LtpaToken, 'example.com')
    const newCookie =
      'LtpaToken=' + ltpaToken + '; Path=/; Domain=' + 'example.com'
    res.setHeader('Set-Cookie', newCookie)
    next()
  } catch (err) {
    console.log(err)
    res.status(401).json({ message: 'Not authorized for this resource' })
  }
}

/**
 * Express route
 */
router.get('/testAuth', mwLtpaAuth, (req: Request, res: Response) => {
  res.send('user is logged in as ' + getUserName(req.cookies.LtpaToken))
})

Example 2

If you need to access a backend Domino database using a specific user account, you can generate an LtpaToken for that account using the generate method:

import { Request, Response } from 'express'
import { generate, generateUserNameBuf, setSecrets } from 'ltpa'

setSecrets({
  'example.com': 'AAECAwQFBgcICQoLDA0ODxAREhM=',
})

router.get('/myDominoView', async (req: Request, res: Response) => {
  const userNameBuf = generateUserNameBuf('CN=Sysadmin Account,O=Example Inc')
  const backendToken = generate(userNameBuf, 'example.com')

  const url = new URL(
    '/api/data/collections/name/myDominoView',
    'https://domino.example.com/',
  )
  const headers = { Cookie: `LtpaToken=${backendToken}` }

  try {
    const response = await fetch(url, { headers })
    const json = await response.json()
    res.json(json)
  } catch (err) {
    console.error(err)
    res.status(500).send(err)
  }
})

Tests

$ npm test

or to run it continuously, while watching for changes

$ npm run test:watch

Known issues

Character sets

The character encoding in the ltpa tokens is an old IBM/Lotus format called LMBCS (Lotus Multi-Byte Character Set) for which I have implemented partial encoder and decoder functions. As of version 3.2.0 (2026-05-25), this packages supports the following character groups:

  • The default character set (basically lower ascii)
  • LMBCS-1 -- mostly Latin-1 (IBM850) which covers western Europe
  • LMBCS-6 -- mostly Latin-2 (IBM852) covering most of central and eastern Europe

This covers most of Europe, the Americas, and more, so if the usernames in your Domino domain only contain characters in these groups you shouldn't have any problems.

LTPA1 only

The package only supports LTPA1, and not LTPA2. WebSphere Application Server Version 5 and later supports LTPA1. WebSphere Application Server Version 7 and later supports LTPA2:

https://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/cwbs_ltpatokens.html

However, there is a package by Benjamin Kröger for dealing with LTPA2:

  • https://github.com/benkroeger/oniyi-ltpa
  • https://www.npmjs.com/package/oniyi-ltpa