otpauth specification
Towards an Internet Standard
Although the otpauth URI scheme has provisional status with IANA, there is no consistently applied specification for otpauth URIs. This site accompanies the proposed Internet-Draft authored to encourage industry alignment within an IETF standards process: draft-andesco-otpauth-uri
This is a UX and interoperability demo, not a credential-storage or account-security demo. It uses an intentionally public, non-rotating default secret so the same otpauth URI can be inspected, changed, restored, and compared across setup paths.
The demo follows the deployed industry convention documented by Google, the current password-manager guidance documented by Apple, and the proposed Internet-Draft requirements, including this distinction:
- issuer label prefix: presentation-oriented service name for display
- issuer parameter: stable service identifier for account matching and credential suggestion
Industry Standard Specifications
Google’s archived Key URI Format established the deployed otpauth convention used across authenticator apps. Apple’s current password-manager guidance describes a more precise UX model for credential setup: the issuer label prefix can name the service for display, while the issuer parameter can identify the site or app for credential matching.
The proposed Internet-Draft reconciles both needs: deployed consumers must continue to accept Google-style URIs where the issuer label prefix and issuer parameter are the same, while modern password managers benefit from treating the issuer parameter as the stable identifier for account matching.
This demo follows that direction. The issuer label prefix is human-readable display text, and the issuer parameter is the stable service identifier used for credential matching and suggestion.
Google: Key URI Format
“If both issuer parameter and issuer label prefix are present, they should be equal.” (2018)
- label:
<proper name>:<account> - issuer parameter:
issuer=<proper name>
Apple: Securing Logins with […] Verification Codes
The issuer parameter is “the domain of the site or app” while the issuer label prefix is “the proper name of your service.” (2021)
- label:
<proper name>:<account> - issuer parameter:
issuer=<domain>
Proposed Internet-Draft Requirements
This table summarizes how the demo maps to draft-andesco-otpauth-uri. It is specific to the TOTP URI generated by this page.
| Component | Draft status |
|---|---|
otpauth scheme |
Required URI scheme |
totp type |
Valid OTP type |
| label | Required path component |
secret |
Mandatory; exactly one value |
issuer |
Recommended |
algorithm |
Optional; default is SHA1 |
digits |
Optional; default is 6 |
period |
Optional for TOTP; default is 30 |
| issuer label prefix | Optional compatibility/display value |
Demo
Settings
Display name for the service. Must not contain a colon.
Account name for the label. Must not be empty. Must not contain a colon.
This public demonstration secret is intentionally shared and must not be used for a real account. The secret must be unpadded Base32 text.
Optional: Save Username & Password
This demo works best after simulating an account registration and saving credentials. Your password manager (authenticator app) can then suggest associating a new verification code generator with these credentials.
does not save or validate these credentials. Use the default username and never enter a real or reused password.
Password not saved?
Sign Out
Setup Verification Codes
Add your one-time password (verification code) generator to your password manager (authenticator app) using the button below or this link: Add to Password Manager
Your password manager may suggest associating it with saved credentials that match the label or issuer listed in the otpauth URI.
other options: copy Secret Key or scan QR Code
Confirm that your password manager has saved the secret key and can generate new one-time codes every 30 seconds.
Other Setup Options
Using a mobile device or a specific app should be entirely optional during setup. These fallback options are shown here to support platforms, browsers, and applications that do not support otpauth links.