Documentation: https://oauth2.oslojs.dev

A JavaScript library for generating and verifying OTPs by Oslo.

Supports HMAC-based one-time passwords (HOTP) and time-based one-time passwords (TOTP) as defined in RFC 4226 and RFC 6238.

• Runtime-agnostic
• No third-party dependencies
• Fully typed

import { generateTOTP, verifyTOTP } from "@oslojs/oauth2";

const totp = generateTOTP(key, 30, 6);
const valid = verifyTOTP(totp, key, 30, 6);

npm i @oslojs/otp

This package requires the Web Crypto API. This is available in most modern runtimes, including Node.js 20+, Deno, Bun, and Cloudflare Workers. The big exception is Node.js 16 and 18. Make sure to polyfill it using webcrypto.

import { webcrypto } from "node:crypto";

globalThis.crypto = webcrypto;

Alternatively, add the --experimental-global-webcrypto flag when executing files.

node --experimental-global-webcrypto index.js