A simple API endpoint to generate a TOTP (Time-based One-Time Password) token from a secret.
Request [GET]
https://totpapi.com/api/JBSWY3DPEHPK3PXPResponse [200]
{
"data": {
"token": "540708"
}
}Why
Mostly for testing. While building automated testing tools I needed an easy way to generate tokens from secrets. I thought an endpoint to query would be ideal, but couldn't find one that worked for me.
Risks
There's a very good reason not to use a tool like this. It's horrible security...
The purpose of TOTP is to have an additional "secret" only known by the client and server. As soon as that secret is shared, it can be used to generate new tokens at will. You should never send a third-party (including myself) your secrets.
This should only be used for the following types of accounts:
- Temporary.
- Don't have access to anything important.
- Have additional security, like requiring a VPN.
Security
Knowing the risks, I'll do my best to make this tool acceptable to use.
- No Logging. I do not log or share the requests or responses.
- No issuer or label. I do not request the URL or app you're logging in to, so even if I wanted to I wouldn't know how to use your secret.
Docs
This tool consists of a single endpoint to generate a TOTP token. Just make a GET request to https://totpapi.com/api/JBSWY3DPEHPK3PXP to get a JSON response. When valid you will receive an HTTP 200 status response with your token. When invalid you will receive an HTTP 400 status response with errors. See examples below for JSON structure.
Required Secret
The only required parameter is the secret key itself, which should be a base 32 string (A-Z, 2-7, optionally padded with =). For example JBSWY3DPEHPK3PXP. This is passed as a URL parameter.
Optional Parameters
Optional parameters are passed as query strings.
| Parameter | Description | Value |
|---|---|---|
| algorithm | Algorithm used to generate token. | SHA-1 (default), SHA-224, SHA-256, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512 |
| digits | Length of the generated token. | Number 1 to 10 (default 6) |
| period | Epoch interval length in seconds. | Number >= 1 (default 30) |
| timestamp | Epoch timestamp in milliseconds used to generate token. | Number (example 1465324707000, default now) |
Example: All Optional Parameters
When a request is valid, you will receive a data object with your token.
Request [GET]
https://totpapi.com/api/JBSWY3DPEHPK3PXP?algorithm=SHA-512&digits=8&period=60×tamp=1465324707000Response [200]
{
"data": {
"token": "49390972",
}
}Example: Invalid Parameters Error Response
When a request is invalid, you will receive an errors object with details letting you know which parameter is invalid. In this example, all optional parameters are invalid. You will get a similar response when secret is invalid.
Request [GET]
https://totpapi.com/api/JBSWY3DPEHPK3PXP?algorithm=BAD-100&digits=16&period=-60×tamp=9999999999999999999999999Response [400]
{
"errors": [
{
"detail": "Invalid algorithm."
},
{
"detail": "Invalid digits."
},
{
"detail": "Invalid period."
},
{
"detail": "Invalid timestamp."
}
]
}Demo
Request [GET]
https://totpapi.com/api/JBSWY3DPEHPK3PXPResponse
Submit form to get response.