Python bindings for OATH Toolkit

This package is a set of Python bindings for the OATH Toolkit library. Please note that it is OATH (open authentication, e.g., one-time passwords) and not OAuth (an open standard for authorization).

[Travis CI] [CodeClimate] [Read The Docs]


  • Runs on a variety of Python versions/implementations
  • QR code generator, compatible with apps like Google Authenticator
  • Integration with WTForms
  • Integration with Django via django-otp


To generate a time-based one-time password (TOTP):

from oath_toolkit import TOTP
from time import time

digits = 6
time_step = 30
oath = TOTP(b'secret key', digits, time_step)
one_time_password = oath.generate(time())

To validate a HMAC-based one-time password (HOTP):

from oath_toolkit import HOTP
from oath_toolkit.exc import OATHError

def verify(otp, counter):
    digits = 6
    oath = HOTP(b'secret key', digits)
        return oath.verify(otp, counter)
    except OATHError:
        return False

For an explanation of terms like time_step and counter, refer to the API documentation.

More complex examples can be found in the examples/ directory, which includes a port of the command-line app oathtool, a sample Django project, and a simple Flask app which shows how WTForms integration works.


Unless otherwise noted in the respective files, the code is licensed under the Apache License 2.0. The otherwise-licensed files have the requisite separate license details. Specifically:

  • oath_toolkit/django_otp/hotp/ and oath_toolkit/django_otp/totp/ are originally licensed under the two-clause BSD license.
  • examples/django/example/ is originally licensed under the MIT license.

The documentation is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0).