Skip to content
Browser-based, Google Authenticator compatible, time-based one-time-password (TOTP) library. 4kb minified and gzipped.
JavaScript HTML Shell
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Tiny-OTP is a tiny (4kb) Javascript library that can generate RFC 4226 compliant HMAC-based one-time passwords (HOTPs), and RFC 6238 compliant time-based one-time passwords (TOTPs).

This is the core library powering the Open-OTP project. To see an example of a full web app using Tiny-OTP (with QR code generation for easy Google Authenticator integration), visit the Open-OTP github repository.


// Generate a random secret
const secret = OTP.getRandomInt(0, 10 ** 12)

// Initialize OTP generator with secret
const generator = new OTP(secret)

// Get the current 6-digit TOTP value.
// This value will change every 30 seconds.
let totp = generator.getTOTP()

// Get current 6-digit HOTP value.
// This value will change based on the provided counter parameter value.
let hotp = generator.getHOTP(5)

NPM / Browserify / Webpack

npm install tiny-otp
const OTP = require('tiny-otp')


import OTP from 'tiny-otp'

Browser Script Tag

<script src=""></script>
Base32 Compatibility

Google Authenticator requires secrets to be imported as base32 encoded strings. Tiny-OTP uses UTF-8 encoding by default, but contains helpers to import and export base32 encoded secrets.

To import a base32 encoded secret.

const generator = new OTP(secret, 'base32')

To export the secret in base32 encoding.


Extra digits

Tiny-OTP generates 6-digit OTPs by default, but can also generate 8-digit OTPs. The number of digits is an optional parameter of the TOTP and HOTP methods.

// Get the current 8-digit TOTP value.
let totp = generator.getTOTP(8)

// Get 8-digit HOTP value, for counter = 5.
let hotp = generator.getHOTP(5, 8)

Distribution Test

To verify that the OTP generates a valid random(flat) distribution of possible 6-digit OTP values, the test directory contains a simple webpage + webworker that will generate batches of 50,000 OTPs, and continuously plot the distribution. To view this visualization, run http-server . and open http://localhost/test/.

You can also view this distribution test at

You can’t perform that action at this time.