Agent-readable authenticator. Like Authy or Google Authenticator, but built for AI agents.
Sesame stores your TOTP secrets and generates 2FA codes. You manage accounts through a desktop app. Your agents grab codes through a CLI or local API.
- Desktop App (Electron + React): Add accounts, scan QR codes, view live codes
- CLI (
sesame get <account>): Agents call this to grab codes - Local API (
GET http://127.0.0.1:7327/codes/:account): REST endpoint for programmatic access - Encrypted Storage: AES-256-GCM, master password required to unlock
- All secrets encrypted at rest with AES-256-GCM
- Key derived via PBKDF2 (100k iterations, SHA-512)
- API binds to
127.0.0.1only (never exposed to network) - Optional Bearer token for API authentication
- Audit log tracks every code request (who asked, when)
- Master password never stored, only used to derive the encryption key
- Vault and config stored in
~/.sesame/with restricted file permissions
# From source
git clone https://github.com/lacymorrow/sesame.git
cd sesame
pnpm install
pnpm cli:build
# Link CLI globally
pnpm link --global# Add a new account
sesame add github --secret JBSWY3DPEHPK3PXP --issuer GitHub
# Add from otpauth:// URI
sesame add gitlab --uri "otpauth://totp/GitLab:user@example.com?secret=JBSWY3DPEHPK3PXP&issuer=GitLab"
# Get current code (interactive)
sesame get github
# 482931 (18s remaining)
# Get code without remaining time (agent-friendly)
sesame get github --raw
# 482931
# List accounts
sesame list
# Remove an account
sesame remove github
# Start API server
sesame serve
# Configure port and API token
sesame config --port 7327 --token my-secret-tokenSet SESAME_PASSWORD to skip the master password prompt:
export SESAME_PASSWORD="your-master-password"
# Now agents can grab codes without interaction
CODE=$(sesame get github --raw)Start the server with sesame serve, then:
# Health check
curl http://127.0.0.1:7327/health
# {"status":"ok","version":"0.1.0"}
# Get code for an account
curl http://127.0.0.1:7327/codes/github
# {"code":"482931","remaining":18}
# List all accounts
curl http://127.0.0.1:7327/accounts
# [{"name":"github","issuer":"GitHub","created_at":"..."}]
# With bearer token (if configured)
curl -H "Authorization: Bearer my-secret-token" http://127.0.0.1:7327/codes/githubpnpm dev # Development mode
pnpm start # Production previewThe desktop app provides:
- Master password unlock screen
- Live dashboard with countdown timers for all accounts
- Click-to-copy TOTP codes
- Add accounts manually or via otpauth:// URI
- API server management (start/stop, port config)
- System tray with quick access
- Electron 36 + React 19 + TypeScript
- electron-vite for builds
- shadcn/ui + Tailwind CSS v4
- otplib for TOTP generation
- sql.js for local storage (WASM SQLite, no native deps)
- Fastify for local API server
- Commander for CLI
All data lives in ~/.sesame/:
vault.db- Encrypted account secrets (SQLite via sql.js)config.json- Port, salt, API token hash
MIT