npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

otplib

v13.2.1

Published

TypeScript-first library for TOTP and HOTP with multi-runtime and plugin support

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

geraldyeogeraldyeo

Keywords

otphotptotprfc4226rfc62382famfaauthenticatorgoogle-authenticatorone-time-passwordsecurity

Readme

otplib

TypeScript-first library for HOTP and TOTP / Authenticator with multi-runtime (Node, Bun, Deno, Browser) support via plugins.

A web based demo is available at https://otplib.yeojz.dev.

Features

  • Zero Configuration - Works out of the box with sensible defaults
  • RFC Compliant - RFC 6238 (TOTP) and RFC 4226 (HOTP)
  • TypeScript-First - Full type definitions
  • Google Authenticator Compatible - Full otpauth:// URI support
  • Plugin Interface - Flexible plugin system for customising your cryptographic and base32 requirements (if you want to deviate from the defaults)
  • Cross-platform - Tested against Node.js, Bun, Deno, and browsers

Breaking Changes (v13)

[!IMPORTANT]
v13 is a complete rewrite with breaking changes:

  • New
    • Security-audited plugins — Default crypto uses @noble/hashes and @scure/base, both independently audited
    • Cross-platform defaults — Works out-of-the-box in Node.js, Bun, Deno, and browsers
    • Full type safety — Comprehensive TypeScript types with strict mode from the ground up
    • Async-first API — All operations are async by default; sync variants available for compatible plugins
  • Removed
    • Separate authenticator package — TOTP now covers all authenticator functionality
    • Outdated plugins — Legacy crypto adapters removed in favor of modern, audited alternatives

See Migration Guide for details.

Installation

# Node
npm install otplib
pnpm add otplib
yarn add otplib
# Other runtimes
bun add otplib
deno install npm:otplib

Quick Start

Functional API (Recommended)

import { generateSecret, generate, verify, generateURI } from "otplib";

// Generate a secret
const secret = generateSecret();

// Generate a TOTP token
const token = await generate({ secret });

// Verify a token
const isValid = await verify({ secret, token });

// Generate QR code URI for authenticator apps
const uri = generateURI({
  issuer: "MyService",
  label: "[email protected]",
  secret,
});

Class API

import { OTP } from "otplib";

// Create OTP instance (defaults to TOTP)
const otp = new OTP();

// Generate a secret
const secret = otp.generateSecret();

// Generate a TOTP token
const token = await otp.generate({ secret });

// Verify a token
const isValid = await otp.verify({ secret, token });

// Generate QR code URI for authenticator apps
const uri = otp.generateURI({
  issuer: "MyService",
  label: "[email protected]",
  secret,
});

Notes

Secret Format

By default, otplib expects secrets to be in Base32 format. While the core HOTP (RFC 4226) and TOTP (RFC 6238) specifications work with raw binary data and don't mandate Base32 encoding, Base32 is the standard format used by authenticator applications and QR code URIs for compatibility.

// Base32 secret (standard format for authenticator compatibility)
const secret = "GEZDGNBVGY3TQOJQGEZDGNBVGY";

However, if you need to use secrets in other formats, you can either use the plugin-base32-alt plugin for raw strings or pass a byte array (using stringToBytes helper) for binary data.

For more details and examples, see the Secret Handling Guide and related plugin documentation in the guides directory.

Documentation

Refer to the Getting Started Guide, or check out the other sections in the guide:

License

MIT © 2026 Gerald Yeo