Signet
Sign in

Guide

TOTP setup

RFC 6238 time-based one-time passwords work with any authenticator app (Google Authenticator, Microsoft Authenticator, Authy, 1Password, and others). You generate a secret once, store it in the server environment, pair your phone, then confirm codes on the tool page before relying on login.

At least one second factor is required for this deployment: configure TOTP here, or WebAuthn in WebAuthn setup, or both for redundancy.

Prerequisites

  • ACCESS_USERNAME and ACCESS_PASSWORD must already be set so the TOTP tool can bind the secret to the same admin identity as login.
  • Server and phone clocks should be accurate within a typical 30-second window; large drift causes valid-looking codes to fail.

Generate

  1. Open /totp
  2. Use the same admin username as ACCESS_USERNAME
  3. Add a label (for example "Personal auth") so you can tell this entry apart in your authenticator
  4. Click Generate — the page shows a QR and a Base32 secret string
Open TOTP tool

Store & pair

Scan the QR with your authenticator, or type the Base32 secret manually. The secret never leaves your control if you only paste it into env and your password manager— do not embed it in client-side code or public repos.

Put the secret string into ACCESS_TOTP_SECRET (single line, no spaces). See Environment variables for the full list of keys.

Example · ACCESS_TOTP_SECRET=JBSWY3DPEHPK3PXP

Test & go live

  1. Redeploy or restart your dev server so the new env is picked up
  2. Copy the 6-digit code from your authenticator and use Verify on /totp
  3. Complete a full /login run-through with password + TOTP before pointing production apps at this host

If verification fails immediately after pairing, wait for the next 30s window, confirm the account in the app matches this site label, and check system time on both devices.

TOTP Setup - Getting Started