Skip to main content

TOTP

TOTP (Time-based One-Time Password) is used to verify that a request truly comes from an authorized system.

Secret Key Generation

  • A TOTP secret key is generated once.

  • This key is shown only once in your personal account in the Private key section.

  • You must securely store this secret key (in a safe, encrypted storage).

  • The server never stores the key in plaintext — only an encrypted version.

Making Requests

  • When you send a host-to-host request (e.g., initiate a payment), it includes a TOTP code in the request body. For examples of TOTP generation, you can contact support.

  • This code is generated using the saved secret key and the current time window (30 seconds).

Example:

{
"session_token": "c8c3a9521dcac260ee34",
"otp": "326979",
"from_address": "IUGF4UMVL2IPN5H4WW4MQDH4",
"target_address": "23WAPW3GUMQ",
"amount": 2,
"currency": "ALGO",
"order_number": "10001"
}

Server-Side Validation

  • We use copy of the TOTP secret key to verify the one-time code.

  • If the code matches the expected value for the current time window (with a small allowed drift - 14 seconds), the request is considered authentic.

Why This is Secure

  • TOTP codes are short-lived (30 seconds).

  • Even if a request is intercepted, the TOTP code will expire quickly.

  • Since the secret is not sent in requests — only the TOTP generated from it — the actual secret stays safe.