TypeScript-first library for HOTP and TOTP / Authenticator with multi-runtime (Node, Bun, Deno, Browser) support via plugins.
Tip
A web based demo is available at https://otplib.yeojz.dev.
You can scan and test the TOTP / HOTP QR Code samples with your chosen authenticator app.
- Zero Configuration - Works out of the box with sensible defaults
- RFC Compliant - RFC 6238 (TOTP) and RFC 4226 (HOTP) + Google Authenticator Compatible
- TypeScript-First - Full type definitions
- Plugin Interface - Flexible plugin system for customising your cryptographic and base32 requirements (if you want to deviate from the defaults)
- Cross-platform - Tested against Node.js, Bun, Deno, and browsers
- Security-audited plugins — Default crypto uses
@noble/hashesand@scure/base, both independently audited - Async-first API — All operations are async by default; sync variants available for compatible plugins
Important
v13 is a complete rewrite with breaking changes. For example:
- (Removed) Separate authenticator package — TOTP now covers all authenticator functionality with default plugins
- (Removed) Outdated plugins — Legacy crypto adapters removed in favor of modern, audited alternatives
See Migration Guide for details.
# Node
npm install otplib
pnpm add otplib
yarn add otplib# Other runtimes
bun add otplib
deno install npm:otplibimport { generateSecret, generate, verify, generateURI } from "otplib";
// Generate a secret
const secret = generateSecret();
// Generate a TOTP token
const token = await generate({ secret });
// Verify a token
const result = await verify({ secret, token });
console.log(result.valid); // true
Refer to the Getting Started Guide, or check out the other sections in the guide:
See CONTRIBUTING.md for development setup and guidelines.
Since v13, parts of the codebase, tests, and documentation have been refined with AI assistance, with all outputs reviewed by humans. See CONTRIBUTING.md for guidelines.