@oslojs/otp documentation

A JavaScript library for generating and verifying OTPs by Oslo.

Supports HMAC-based one-time passwords (HOTP) and time-based one-time passwords (TOTP) as defined in RFC 4226 and RFC 6238.

  • Runtime-agnostic
  • No third-party dependencies
  • Fully typed
import { generateTOTP, verifyTOTP } from "@oslojs/otp";

const totp = generateTOTP(key, 30, 6);
const valid = verifyTOTP(totp, key, 30, 6);


npm i @oslojs/otp


This package requires the Web Crypto API. This is available in most modern runtimes, including Node.js 20+, Deno, Bun, and Cloudflare Workers. The big exception is Node.js 16 and 18. Make sure to polyfill it using webcrypto.

import { webcrypto } from "node:crypto";

globalThis.crypto = webcrypto;

Alternatively, add the --experimental-global-webcrypto flag when executing files.

node --experimental-global-webcrypto index.js