roka-totp 0.1.0

Zero-dependency TOTP / HOTP for Rust — RFC 4226 / 6238, std-only, no unsafe.
Documentation
  • Coverage
  • 100%
    36 out of 36 items documented1 out of 31 items with examples
  • Size
  • Source code size: 61.82 kB This is the summed size of all the files inside the crates.io package for this release.
  • Documentation size: 704.61 kB This is the summed size of all files generated by rustdoc for all configured targets
  • Ø build duration
  • this release: 4s Average build duration of successful builds.
  • all releases: 5s Average build duration of successful builds in releases after 2024-10-23.
  • Links
  • Homepage
  • goliajp/roka
    0 0 0
  • crates.io
  • Dependencies
  • Versions
  • Owners
  • doracawl

roka-totp

Crates.io docs.rs License Downloads

Zero-dependency TOTP / HOTP implementation for Rust.

Implements RFC 6238 (TOTP) and RFC 4226 (HOTP). Brings its own SHA-1, HMAC-SHA1, and Base32 — no crypto crate is pulled in, no unsafe is used.

Highlights

  • Zero external crate dependencies. std only.
  • No unsafe.
  • RFC test vectors verified — SHA-1 (RFC 3174), HMAC (RFC 2202), HOTP (RFC 4226 Appendix D), TOTP (RFC 6238 Appendix B).
  • Type-safe APISecret newtype, Algorithm enum, builder pattern.
  • otpauth URI build ready for QR pairing.

Quick start

use roka_totp::{Totp, Secret};

let secret = Secret::from_base32("JBSWY3DPEHPK3PXP")?;
let totp = Totp::builder(secret)
    .issuer("Acme")
    .account("alice@example.com")
    .build();

let code = totp.code_now();        // current OTP, e.g. "847529"
let uri = totp.uri();              // otpauth://totp/Acme:alice... for QR pairing

// Verify a user-entered code against the current window ± 1 step
match totp.verify(&user_input, totp_unix_now(), 1) {
    Some(offset) => println!("ok (offset {offset} windows)"),
    None => println!("reject"),
}
# fn totp_unix_now() -> u64 { 0 }
# let user_input = String::new();
# Ok::<(), roka_totp::Error>(())

When to use this crate

  • You want minimal supply-chain risk for your authentication path. roka-totp has zero transitive dependencies — anyone can audit the whole code path from base32 secret to 6-digit code in an afternoon.
  • You're targeting embedded / WASM / no-std-ish environments where pulling in RustCrypto + serde is excessive.
  • You want QR generation built in — pair with roka-qr and ship a complete 2FA stack with no other deps.

Performance

Indicative numbers on M2 (release); see BUDGETS.md:

Operation Time
Secret::from_base32 (16 bytes) ~84 ns
Totp::code_at ~900 ns
Totp::verify (match, ±1 window) ~1.8 µs
Totp::uri ~815 ns

Regression gates live in tests/perf_gate.rs.

Roadmap

  • 0.1.0 — current API surface (SHA-1 only).
  • 0.2.0 — Algorithm::Sha256 / Algorithm::Sha512 (otpauth URI standard).
  • 0.2.x — Totp::from_uri parsing.
  • Later — no_std + alloc support.

License

Dual-licensed under Apache 2.0 or MIT, at your option.

Part of the roka project by GOLIA Inc.