Available in all subroutines.

Returns a time-based, one-time password. The password is a SHA-1 hash based upon the current time. The key parameter is a Base64-encoded key. The interval parameter specifies the lifetime of the token in seconds and must be non-negative. The offset parameter provides a means for mitigating clock skew.

Base64 decoding behaves as if by a call to digest.base64_decode. See that function for handling invalid characters and the behavior of padding. Unlike digest.base64_decode, the decoded output is used directly (rather than constructing a VCL STRING type), and so binary content is permitted, including possible NUL bytes.


set req.http.X-OTP-CurBucket = digest.time_hmac_sha1(
digest.base64("secret"), 60, 0);
set req.http.X-OTP-PrevBucket = digest.time_hmac_sha1(
digest.base64("secret"), 60, -1);
set req.http.X-OTP-NextBucket = digest.time_hmac_sha1(
digest.base64("secret"), 60, 1);

User contributed notes

We welcome comments that add use cases, ideas, tips, and caveats. All comments will be moderated before publication. To post support questions, visit our support center and we'll find you the help you need.