TOTP
TOTP (Time-based One-Time Password) is used to verify that a request truly comes from an authorized system.
Secret Key Generation
-
A TOTP secret key is generated once.
-
This key is shown only once in your personal account in the Private key section.
-
You must securely store this secret key (in a safe, encrypted storage).
-
The server never stores the key in plaintext — only an encrypted version.
Making Requests
-
When you send a host-to-host request (e.g., initiate a payment), it includes a TOTP code in the request body. For examples of TOTP generation, you can contact support.
-
This code is generated using the saved secret key and the current time window (30 seconds).
Example:
{
"session_token": "c8c3a9521dcac260ee34",
"otp": "326979",
"from_address": "IUGF4UMVL2IPN5H4WW4MQDH4",
"target_address": "23WAPW3GUMQ",
"amount": 2,
"currency": "ALGO",
"order_number": "10001"
}
Server-Side Validation
-
We use copy of the TOTP secret key to verify the one-time code.
-
If the code matches the expected value for the current time window (with a small allowed drift - 14 seconds), the request is considered authentic.
Why This is Secure
-
TOTP codes are short-lived (30 seconds).
-
Even if a request is intercepted, the TOTP code will expire quickly.
-
Since the secret is not sent in requests — only the TOTP generated from it — the actual secret stays safe.