package module
v1.4.0 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Dec 13, 2022 License: Apache-2.0 Imports: 13 Imported by: 653


otp: One Time Password utilities Go / Golang

PkgGoDev Build Status

Why One Time Passwords?

One Time Passwords (OTPs) are an mechanism to improve security over passwords alone. When a Time-based OTP (TOTP) is stored on a user's phone, and combined with something the user knows (Password), you have an easy on-ramp to Multi-factor authentication without adding a dependency on a SMS provider. This Password and TOTP combination is used by many popular websites including Google, GitHub, Facebook, Salesforce and many others.

The otp library enables you to easily add TOTPs to your own application, increasing your user's security against mass-password breaches and malware.

Because TOTP is standardized and widely deployed, there are many mobile clients and software implementations.

otp Supports:

  • Generating QR Code images for easy user enrollment.
  • Time-based One-time Password Algorithm (TOTP) (RFC 6238): Time based OTP, the most commonly used method.
  • HMAC-based One-time Password Algorithm (HOTP) (RFC 4226): Counter based OTP, which TOTP is based upon.
  • Generation and Validation of codes for either algorithm.

Implementing TOTP in your application:

User Enrollment

For an example of a working enrollment work flow, GitHub has documented theirs, but the basics are:

  1. Generate new TOTP Key for a User. key,_ := totp.Generate(...).
  2. Display the Key's Secret and QR-Code for the User. key.Secret() and key.Image(...).
  3. Test that the user can successfully use their TOTP. totp.Validate(...).
  4. Store TOTP Secret for the User in your backend. key.Secret()
  5. Provide the user with "recovery codes". (See Recovery Codes bellow)
Code Generation
  • In either TOTP or HOTP cases, use the GenerateCode function and a counter or time.Time struct to generate a valid code compatible with most implementations.
  • For uncommon or custom settings, or to catch unlikely errors, use GenerateCodeCustom in either module.
  1. Prompt and validate User's password as normal.
  2. If the user has TOTP enabled, prompt for TOTP passcode.
  3. Retrieve the User's TOTP Secret from your backend.
  4. Validate the user's passcode. totp.Validate(...)
Recovery Codes

When a user loses access to their TOTP device, they would no longer have access to their account. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged, this is a common problem. For this reason many providers give their users "backup codes" or "recovery codes". These are a set of one time use codes that can be used instead of the TOTP. These can simply be randomly generated strings that you store in your backend. Github's documentation provides an overview of the user experience.

Improvements, bugs, adding feature, etc:

Please open issues in Github for ideas, bugs, and general thoughts. Pull requests are of course preferred :)


otp is licensed under the Apache License, Version 2.0



Package otp implements both HOTP and TOTP based one time passcodes in a Google Authenticator compatible manner.

When adding a TOTP for a user, you must store the "secret" value persistently. It is recommended to store the secret in an encrypted field in your datastore. Due to how TOTP works, it is not possible to store a hash for the secret value like you would a password.

To enroll a user, you must first generate an OTP for them. Google Authenticator supports using a QR code as an enrollment method:

import (


key, err := totp.Generate(totp.GenerateOpts{
		Issuer: "Example.com",
		AccountName: "alice@example.com",

// Convert TOTP key into a QR code encoded as a PNG image.
var buf bytes.Buffer
img, err := key.Image(200, 200)
png.Encode(&buf, img)

// display the QR code to the user.

// Now Validate that the user's successfully added the passcode.
passcode := promptForPasscode()
valid := totp.Validate(passcode, key.Secret())

if valid {
	// User successfully used their TOTP, save it to your backend!
	storeSecret("alice@example.com", key.Secret())

Validating a TOTP passcode is very easy, just prompt the user for a passcode and retrieve the associated user's previously stored secret.

import "github.com/pquerna/otp/totp"

passcode := promptForPasscode()
secret := getSecret("alice@example.com")

valid := totp.Validate(passcode, secret)

if valid {
	// Success! continue login process.



This section is empty.


View Source
var ErrGenerateMissingAccountName = errors.New("AccountName must be set")

When generating a Key, the Account Name must be set.

View Source
var ErrGenerateMissingIssuer = errors.New("Issuer must be set")

When generating a Key, the Issuer must be set.

View Source
var ErrValidateInputInvalidLength = errors.New("Input length unexpected")

The user provided passcode length was not expected.

View Source
var ErrValidateSecretInvalidBase32 = errors.New("Decoding of secret as base32 failed.")

Error when attempting to convert the secret from base32 to raw bytes.


This section is empty.


type Algorithm

type Algorithm int

Algorithm represents the hashing function to use in the HMAC operation needed for OTPs.

const (
	// AlgorithmSHA1 should be used for compatibility with Google Authenticator.
	// See https://github.com/pquerna/otp/issues/55 for additional details.
	AlgorithmSHA1 Algorithm = iota

func (Algorithm) Hash

func (a Algorithm) Hash() hash.Hash

func (Algorithm) String

func (a Algorithm) String() string

type Digits

type Digits int

Digits represents the number of digits present in the user's OTP passcode. Six and Eight are the most common values.

const (
	DigitsSix   Digits = 6
	DigitsEight Digits = 8

func (Digits) Format

func (d Digits) Format(in int32) string

Format converts an integer into the zero-filled size for this Digits.

func (Digits) Length

func (d Digits) Length() int

Length returns the number of characters for this Digits.

func (Digits) String

func (d Digits) String() string

type Key

type Key struct {
	// contains filtered or unexported fields

Key represents an TOTP or HTOP key.

func NewKeyFromURL

func NewKeyFromURL(orig string) (*Key, error)

NewKeyFromURL creates a new Key from an TOTP or HOTP url.

The URL format is documented here:


func (*Key) AccountName

func (k *Key) AccountName() string

AccountName returns the name of the user's account.

func (*Key) Algorithm added in v1.4.0

func (k *Key) Algorithm() Algorithm

Algorithm returns the algorithm used or the default (SHA1).

func (*Key) Digits added in v1.4.0

func (k *Key) Digits() Digits

Digits returns a tiny int representing the number of OTP digits.

func (*Key) Image

func (k *Key) Image(width int, height int) (image.Image, error)

Image returns an QR-Code image of the specified width and height, suitable for use by many clients like Google-Authenricator to enroll a user's TOTP/HOTP key.

func (*Key) Issuer

func (k *Key) Issuer() string

Issuer returns the name of the issuing organization.

func (*Key) Period added in v1.3.0

func (k *Key) Period() uint64

Period returns a tiny int representing the rotation time in seconds.

func (*Key) Secret

func (k *Key) Secret() string

Secret returns the opaque secret for this Key.

func (*Key) String

func (k *Key) String() string

func (*Key) Type

func (k *Key) Type() string

Type returns "hotp" or "totp".

func (*Key) URL added in v1.1.0

func (k *Key) URL() string

URL returns the OTP URL as a string


Path Synopsis
interop module

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL