PHPackages                             khooz/oath - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. khooz/oath

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

khooz/oath
==========

The TOTP based on \[RFC6238\](https://tools.ietf.org/html/rfc6238)

6.0(6y ago)32272MITPHPPHP &gt;=7

Since Jan 4Pushed 6y ago1 watchersCompare

[ Source](https://github.com/khooz/oath)[ Packagist](https://packagist.org/packages/khooz/oath)[ RSS](/packages/khooz-oath/feed)WikiDiscussions master Synced yesterday

READMEChangelog (4)DependenciesVersions (7)Used By (0)

Oath
====

[](#oath)

Oath is a One Time Password library used in authenticators. It covers both HOTP and TOTP methods of code generation.

What is this package?
---------------------

[](#what-is-this-package)

It implements the HMAC-based One-Time Password specified in [RFC6238](http://tools.ietf.org/html/rfc6238) used in many Two Step Authentication solutions. It is compatible with Authenticator Apps Like Google's and Microsoft's. It uses a @devicenull 's class called [Base32](https://github.com/devicenull/PHP-Google-Authenticator/blob/master/base32.php) for [RFC3548](https://tools.ietf.org/html/rfc3548) Base32 encodeing and decoding. Feel free to use any custom Base32-converting class, which have `encode` and `decode` public static functions.

Getting Started
===============

[](#getting-started)

This package uses PSR-4 autoloading which eases the installation and use with major framework or any projects utilising composer. Simply use composer to install this package as your project's dependency:

```
composer require khooz/oath
```

Usage
-----

[](#usage)

You can simply use the default parameters of this package to generate or check HMAC-based One-Time Passwords:

```
$otp = new Oath();
$otp->secret; // The secret used for code generation in Base32; default is randomly generated SHA1 hash
$otp->account = "john_doe"; // The account name used in combination of issuer and domain for making otpauth uri
$otp->type; // Either "hotp" or "totp"; default is totp
$otp->counter; // The current value of counter for HOTP; or null if type is "totp"; default is 0
$otp->period; // The period of code mutation for TOTP; null if type is "hotp"; default is 30

$otp->generate(); // generates new code based on current parameter
$otp->check($code); // checks current code with the provided code (integer). Returns true if both are the same.
```

You can also customize the default parameters using `config` static method before instantiating the `Oath` class, or after, for the newer instantiations.

```
Oath::config(
	$issuer, // Default issuer as specified in standard
	$domain, // Default domain as specified in standard
	$period, // Default period for totp, must be greated than 0
	$digits, // Default number of digits per code as specified in standard
	$initial_counter, // Default initial counter for hotp, must be positive
	$length, // Default length for generated messages and salts for cryptographically secure secret generation
	$iterations, // Default hash iterations for cryptographically secure secret generation
	$type, // Default type as specified in standard, either 'hotp' or 'totp'
	$algorithm, // Default algorithm as specified in standard, it can use all hmac algorithms available to the system if strict mode is off
	$qrURI, // Default issuer as specified in standard
	$strict // Default strict mode. If true, only values specified in the standard can be used. By default it is true.
);
```

One instantiated, the `Oath` object encapsulates all the data it needs for a single user and defaults can safely be changed for furthur users.

Methods
-------

[](#methods)

### `Oath::generate(int $pivot)`

[](#oathgenerateint-pivot)

Generates a new code based on object parameter. By using $pivot, you can go back and forth with codes and generate expired codes (negative value) or coming codes (positive value). You will get the current valid code when `$pivot = 0` (default behaviour).

```
$oath->generate(-1); // Generates the last expired code
$oath->generate(0); // Generates the current valid code
$oath->generate(1); // Generates the next code in codes sequence
```

### `Oath::check(int $code, int $rabge, int $pivot)`

[](#oathcheckint-code-int-rabge-int-pivot)

Checks an n-digit, integer `$code` with a telorance of `$range` around a `$pivot` point in codes sequence.

```
$oath->check(123456, 0, 1); // Checks 123456 against the last expired, current, and next codes; gives user a 90s leeway in a 30s-period TOTP
```

Properties
----------

[](#properties)

All non-static properties of `Oath` is accessible through it's name's `__get` and `__set` invocations; though there are some important properties and some virtual properties woth mentioning. I encourage you to see the `Oath` class in detail.

### `Oath::secret`

[](#oathsecret)

Along with `Oath::message` and `Oath::salt`, the secret or the other two (which make the secret if they are present) define an instance for authentication. You should exchange the secret to the user to store so you could generate the same codes sequence to compare against. You should also store either the secret, or the message &amp; salt. The secret is a binary string represented in Base32 encoding.

#### `Oath::message` and `Oath::salt`

[](#oathmessage-and-oathsalt)

You either introduce a Base32 secret, or make one using a message and a salt. if you don't provide either, a randomly generated message and salt will generate a secret for you.

### `Oath->uri`

[](#oath-uri)

This is a virtual property which will give you an `otpauth` URL-encoded URI, so you could use a QR-code or a link to exchange authentication token instances with user. It is formatted as bellow:

```
auth token instance = otpauth://type/label?parameters
type = hotp | totp
label = issuer:account@domain

```

The `parameters` are `secret`, `digits`, `algorithm`, `period` or `counter` in URL-encoded HTTP Query format.

Special Thanks goes to
======================

[](#special-thanks-goes-to)

-  for [this article](https://www.idontplaydarts.com/2011/07/google-totp-two-factor-authentication-for-php/)
- Wikipedia.org for [this article](http://en.wikipedia.org/wiki/Google_Authenticator)
- @devicenull for [this class](https://github.com/devicenull/PHP-Google-Authenticator/blob/master/base32.php)

finally()
---------

[](#finally)

{

And if you feel like it, you can [donate here](https://paypal.me/khooz) to help me.

}

###  Health Score

31

—

LowBetter than 66% of packages

Maintenance20

Infrequent updates — may be unmaintained

Popularity16

Limited adoption so far

Community9

Small or concentrated contributor base

Maturity67

Established project with proven stability

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~378 days

Recently: every ~70 days

Total

6

Last Release

2303d ago

Major Versions

0.0.0 → 4.2.x-dev2019-06-06

v4.2.0 → 5.82019-06-07

5.8.x-dev → 6.02020-03-10

PHP version history (2 changes)0.0.0PHP &gt;=5.5.0

5.8PHP &gt;=7

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/8382714?v=4)[Mustafa Talaeezadeh Khouzani](/maintainers/khooz)[@khooz](https://github.com/khooz)

---

Top Contributors

[![khooz](https://avatars.githubusercontent.com/u/8382714?v=4)](https://github.com/khooz "khooz (46 commits)")

---

Tags

google authenticatortotpTwo Factor Authenticationauthenticatoroathtwo-step verificationmicrosoft authenticator

### Embed Badge

![Health badge](/badges/khooz-oath/health.svg)

```
[![Health](https://phpackages.com/badges/khooz-oath/health.svg)](https://phpackages.com/packages/khooz-oath)
```

###  Alternatives

[spomky-labs/otphp

A PHP library for generating one time passwords according to RFC 4226 (HOTP Algorithm) and the RFC 6238 (TOTP Algorithm) and compatible with Google Authenticator

1.5k48.8M158](/packages/spomky-labs-otphp)[robthree/twofactorauth

Two Factor Authentication

1.2k12.1M86](/packages/robthree-twofactorauth)[paragonie/multi-factor

Vendor-agnostic two-factor authentication library

142197.5k2](/packages/paragonie-multi-factor)[2amigos/2fa-library

2 Factor Authentication (2FA) library

34391.0k7](/packages/2amigos-2fa-library)[chillerlan/php-authenticator

A generator for counter- and time based 2-factor authentication codes (Google Authenticator). PHP 8.2+

56127.6k3](/packages/chillerlan-php-authenticator)[pedrosancao/php-otp

PHP implementation of HMAC-based one-time password algorithm according to RFC 4226 and RFC 6238 compatible with Google Authenticator

1869.5k](/packages/pedrosancao-php-otp)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
