A self-hosted TOTP management platform. Generate, manage, and audit one-time passwords from a web dashboard — with a Slack slash command for team use.
Demo login:
demo@authflow.dev/demo— no data is stored, write actions are disabled.
| Feature | Description |
|---|---|
| Dashboard | Add, edit, and manage TOTP services. Live countdown timers. |
| REST API | GET /{slug}?key=API_KEY — integrate with any automation tool. |
| Slack | /otp <slug> posts the current code to the channel. |
| Attribution | Every request logged with source (API / Slack) and requester. |
| Analytics | 7-day usage chart + full request history in the dashboard. |
| Self-hosted | Runs on Vercel. Any PostgreSQL database works. |
git clone https://github.com/daiquiridev/AuthFlow.git
cd AuthFlow
npm install
npm run devOpen http://localhost:3000/dashboard. In development, no database or login is needed — a mock session is used automatically.
Create .env.local (never commit this file):
# Required
DATABASE_URL=postgresql://user:password@host:5432/dbname
AUTH_SECRET=any-long-random-string
# API access key — used to authenticate GET /{slug}?key=...
API_KEY=your-secret-api-key
# Optional — required only for Slack integration
SLACK_SIGNING_SECRET=your-slack-signing-secretRun the migrations in your PostgreSQL database (Supabase SQL editor or psql):
# Apply all migrations in order
psql $DATABASE_URL -f supabase/migrations/20260101000000_initial_schema.sql
psql $DATABASE_URL -f supabase/migrations/20260320000000_add_attribution_to_logs.sqlNote: The initial schema references
auth.users(Supabase). If you're using raw PostgreSQL, replace this with your ownuserstable reference.
GET /{service-slug}?key=YOUR_API_KEYGET /{service-slug}?key=YOUR_API_KEY&raw=trueReturns JSON by default. With raw=true, returns a plain-text token — useful for shell scripts.
Example:
curl https://authflow.spacechild.dev/google-ads?key=YOUR_API_KEY&raw=true
# → 482931Response (JSON):
{
"token": "482931",
"seconds_remaining": 18,
"expires_at": 1742500830,
"digits": 6,
"step": 30,
"algorithm": "SHA-1"
}You can also pass the key via header:
X-API-Key: YOUR_API_KEYAfter setup, anyone in your workspace can type:
/otp google-ads
/otp github
The current OTP is posted to the channel, visible to everyone. No per-user authentication — designed for shared team accounts.
Setup: See Settings → Slack Integration in the dashboard for step-by-step instructions.
Every OTP request is logged with:
- Source —
slackorapi - Requested by — Slack username, or
api-keyfor REST calls - Service — which service was queried
- Timestamp
Visible in Analytics → Recent Requests.
| Layer | Technology |
|---|---|
| Framework | Next.js 16.2 — App Router |
| Auth | Auth.js v5 — Credentials provider |
| Database | PostgreSQL via postgres driver |
| OTP | Web Crypto API — RFC 6238, no third-party OTP libraries |
| UI | shadcn/ui + Tailwind CSS 4 |
| Deployment | Vercel |
- Fork this repo
- Connect to Vercel
- Add environment variables in Vercel dashboard
- Run database migrations
- Deploy
Required env vars for production: DATABASE_URL, AUTH_SECRET, API_KEY
- TOTP dashboard
- REST API with master key
- Slack slash command integration
- Request attribution (source + requester)
- 7-day analytics chart
- Docker image for self-hosting
- Secret rotation
- Hardware key support (YubiKey)
MIT — see LICENSE.
Developed by daiquiridev · Live demo · Production