URI string format
Each URI begins with a scheme name that refers to a specification for assigning identifiers within that scheme.
|The scheme name|
This scheme name is used by Authenticator apps to generate one-time passcodes using OATH.
The otpauth:// URI scheme was originally formalised by Google. Most authenticator apps register a handler for otpauth:// so the camera app knows how to prompt the user to launch the authenticator app when it’s scanned.
The type is needed to distinguish whether the credential will be used for counter-based HOTP or for time-based TOTP.
Read more about the difference between the two types of OATH credentials.
The label is used to identify which account a credential is associated with. It also serves as the unique identifier for the credential itself.
The label is created from:
|Issuer||A string value indicating the provider or service this account is associated with. It can be absent.|
|Account Name||A URI-encoded string that usually is the user's email address.|
The label prevents collisions between different accounts with different providers that might be identified using the same account name, e.g. the user's email address.
The issuer and account name should be separated by a literal or url-encoded colon, and optional spaces may precede the account name. Neither issuer nor account name may themselves contain a colon. According to RFC 5234 a valid label might look like:
The secret is provided by the website to the user in the QR code, both sides need to retain this secret key for one-time password generation.
The secret parameter is an arbitrary credential value encoded in Base32 according to RFC 3548.
The padding specified in RFC 3548 section 2.2 is not required and should be omitted.
There is Base32 helper class in the Yubico.Core library.
The issuer parameter is a string value indicating the provider or service the credential is associated with. It is URL-encoded according to RFC 3986.
Valid values corresponding to the label examples above would be:
The issuer parameter is recommended, but it can be absent. Also, the issuer parameter and issuer string in label should be equal.
The hash algorithm used by the credential. It is optional.
The number of digits in a one-time password (OTP).
|Valid number of digits|
The counter is only used if the type is HOTP.
The counter parameter is required when provisioning HOTP credentials. It will set the initial counter value.
Period is only used if the type is TOTP.
The period parameter defines a validity period in seconds for the TOTP code.
|Valid period in seconds|
The URI specification RFC 3986.