FluxyAPIFluxyAPI
BlocksTokens & Crypto

Verify TOTP Code

Confirm a user's 6-digit authentication code against their stored secret.

The Verify TOTP Code block validates the 6-digit code provided by a user (from apps like Google Authenticator or Authy) against their previously stored secret key.

Configuration

FieldRequiredDescription
User's TOTP SecretThe base32 secret key previously saved for this user.
6-Digit Code (Token)The current 6-digit code entered by the user.
Allowed Time WindowNumber of 30-second steps before/after to accept (default is 1, which allows for slight clock drift).
Output VariableThe name of the variable that will store the boolean result (true or false).
Drift Handling

Setting a higher Allowed Time Window makes login easier for users with unsynced clocks but slightly reduces security. A value of 1 or 2 is usually recommended.

Error Handling

  • SECRET_MISSING — Triggered when the secret field is empty.
  • TOKEN_MISSING — Triggered when the 6-digit code is missing.
  • RUNTIME_ERROR — Triggered if an unexpected error occurs during verification.

Example: Verifying Login

  1. User's TOTP Secret: Set to {db.users.totp_secret}.
  2. 6-Digit Code (Token): Set to {request.body.code}.
  3. Output Variable: Enter is_valid_code.
  4. Result: The variable {is_valid_code} will be true if the code matches, otherwise false.

Follow this block with a Basic Conditional Compare block to check if {is_valid_code} is equal to true before granting access.

On this page