#totp #hmac #2fa #otp #generate #read-write


library for generating Time-based One-time Password (TOTP) codes/tokens defined in RFC 6238

7 releases

0.5.3 Apr 4, 2024
0.5.1 Oct 15, 2022
0.5.0 Aug 13, 2021
0.4.2 May 13, 2021
0.1.0 Apr 20, 2021

#105 in Authentication


786 lines


A rust crate for generating TOTP codes (tokens) defined in RFC 6238.

crates.io docs.rs Rust-test

Features of this crate

  • Both low-level and high-level APIs are provided.
  • The length of the codes, the initial counter time (T0), update time interval (period) and hash algorithm are configurable.
  • HMAC algorithms are implemented by ring.
  • Read or write "Key Uri Format" (URIs start with otpauth://totp/) (the oathuri feature gate).
  • Read or write key from base32-encoded string (the oathuri feature gate).


This implementation does NOT consider the time earlier than the Unix epoch (1970-01-01T00:00:00Z).


use totp_rfc6238::{HashAlgorithm, TotpGenerator};
fn main() {
    let key = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890+/";
    // Create a non-standard TOTP code generator: 8-digit, updating every 60
    // seconds, starting at "Jan 01 1970 00:16:40 UTC", using HMAC-SHA512.
    let mut totp_generator = TotpGenerator::new()
    let output1 = totp_generator.get_code(key);
    println!("Your TOTP code for current time is: {}", output1);
    let output2 = totp_generator.get_next_update_time().unwrap();
    println!("Next update will be at the unix timestamp of {}", output2);
    let output3 = totp_generator.get_code_window(key, -5..=5).unwrap();
    println!("Codes for 5 minutes earlier or later are:");
    for i in output3 {
        println!("  {}", i);


See here.

Incompatible API breaking changes

The version number lower than 1.0.0 should be regarded as an unstable version of the API. Therefore, some version updates may contain incompatible API changes. Please refer to the following when changing the dependent version.

  • v0.5.2 (unreleased) -> v0.5.3: oath_uri::TotpUri and oath_uri::KeyInfo implemented the Debug trait in version 0.5.2, but this was removed in 0.5.3. (only affects the oathuri feature)
  • v0.4.2 -> v0.5.0: The data types of errors has changed. (only affects the oathuri feature)
  • v0.3.1 -> v0.4.0: The data types of errors and function names has changed. (only affects the oathuri feature)
  • v0.2.0 -> v0.3.0: In the percent-encoding, the characters that need to be escaped have changed. (only affects the oathuri feature)


The codes of this crate has not been audited.

  • Read or write QR codes.


This tool is primarily distributed under the terms of both the MIT license and the Apache License (Version 2.0), with portions covered by various BSD-like licenses.


  1. Any contribution intentionally submitted for inclusion in totp_rfc6238 by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.
  2. Pull requests are always welcome.


~246K SLoC