Tiny-OTP is a tiny (4kb) Javascript library that can generate RFC 4226 compliant HMAC-based one-time passwords (HOTPs), and RFC 6238 compliant time-based one-time passwords (TOTPs).
This is the core library powering the Open-OTP project. To see an example of a full web app using Tiny-OTP (with QR code generation for easy Google Authenticator integration), visit the Open-OTP github repository.
// Generate a random secret
const secret = OTP.getRandomInt(0, 10 ** 12)
// Initialize OTP generator with secret
const generator = new OTP(secret)
// Get the current 6-digit TOTP value.
// This value will change every 30 seconds.
let totp = generator.getTOTP()
// Get current 6-digit HOTP value.
// This value will change based on the provided counter parameter value.
let hotp = generator.getHOTP(5)npm install tiny-otp
const OTP = require('tiny-otp')or
import OTP from 'tiny-otp'<script src="https://cdn.patricktriest.com/vendor/otp/otp.min.js"></script>Google Authenticator requires secrets to be imported as base32 encoded strings. Tiny-OTP uses UTF-8 encoding by default, but contains helpers to import and export base32 encoded secrets.
To import a base32 encoded secret.
const generator = new OTP(secret, 'base32')To export the secret in base32 encoding.
generator.getBase32Secret()Tiny-OTP generates 6-digit OTPs by default, but can also generate 8-digit OTPs. The number of digits is an optional parameter of the TOTP and HOTP methods.
// Get the current 8-digit TOTP value.
let totp = generator.getTOTP(8)
// Get 8-digit HOTP value, for counter = 5.
let hotp = generator.getHOTP(5, 8)To verify that the OTP generates a valid random(flat) distribution of possible 6-digit OTP values, the test directory contains a simple webpage + webworker that will generate batches of 50,000 OTPs, and continuously plot the distribution. To view this visualization, run http-server . and open http://localhost/test/.
You can also view this distribution test at https://cdn.patricktriest.com/vendor/otp/test/index.html