Skip to main content

Overview

Generate TOTP codes for testing two-factor authentication flows. The step creates valid 6-digit codes that refresh every 30 seconds, automatically waits if a code is about to expire, and stores the result in a variable for use in subsequent steps like Fill.

Setting Up Your Secret Token

Before adding this step, obtain your TOTP secret from the application you’re testing.

If the application shows a text token

  1. Navigate to your app’s 2FA or security settings
  2. Look for “Manual Entry” or “Can’t scan QR code?”
  3. Copy the secret token (usually looks like JBSWY3DPEHPK3PXP)
  4. Store it as an environment variable in Supatest

If only a QR code is shown

  1. Screenshot the QR code during 2FA setup
  2. Use Token2 QR Decoder to extract the secret
  3. Copy the extracted token
  4. Store it as an environment variable in Supatest

Store the token securely

Recommended approach:
  1. Go to your Supatest environment settings
  2. Create a new variable (e.g., TOTP_SECRET)
  3. Set the type to secret so the value is masked
  4. Paste your token as the value
  5. Reference it in the step as {{env.TOTP_SECRET}}
This keeps tokens out of test code and allows different values per environment (dev, staging, production). Environment variable setup for TOTP secret

Using the Step

Add the Get TOTP Code step after actions that trigger 2FA (like clicking “Log In”). The form has two fields:
  • Secret Token: Enter {{env.TOTP_SECRET}} or paste a token directly (not recommended for security)
  • Variable: Auto-generated name like supatest_totp_0 that stores the 6-digit code
The step automatically handles timing. If fewer than 15 seconds remain in the current 30-second window, it waits for a fresh code so subsequent steps have enough time to use it.

Token format flexibility

The step accepts various formats and automatically cleans them:
  • Plain: JBSWY3DPEHPK3PXP
  • Spaces: JBSW Y3DP EHPK 3PXP
  • Dashes: JBSW-Y3DP-EHPK-3PXP
  • Lowercase: jbswy3dpehpk3pxp
All are sanitized to uppercase base32 (letters A-Z and digits 2-7).

Example: Login with 2FA

Goal: Automate a complete login flow including two-factor authentication.
  1. Fill → Email field with test@example.com
  2. Fill → Password field with {{env.TEST_PASSWORD}}
  3. Click → Login button
  4. Get TOTP Code → Secret Token: {{env.TOTP_SECRET}}
  5. Fill → 2FA code field with {{vars.supatest_totp_0}}
  6. Click → Verify button
The generated code is valid for at least 15 seconds after step 4 completes, giving steps 5 and 6 time to run. Complete 2FA login flow with TOTP

Best Practices

Security:
  • Always store tokens in environment variables marked as secrets
  • Use separate test accounts for automation, not real user accounts
  • Rotate tokens periodically and store backup codes separately
Reliability:
  • Let the step handle timing; don’t add manual waits
  • Verify time synchronization if codes are consistently rejected
  • Use descriptive variable names for multiple accounts (e.g., ADMIN_TOTP_SECRET, USER_TOTP_SECRET)
Variable usage:
  • Each step creates a unique variable: supatest_totp_0, supatest_totp_1, etc.
  • Reference them in Fill steps via {{vars.supatest_totp_0}}
  • Codes remain valid for at least 15 seconds after generation

Troubleshooting

”Secret token is empty after sanitization”

The token contains invalid characters. TOTP secrets must be base32 (A-Z and 2-7). Fix:
  • Check the environment variable is set correctly
  • Verify no typos in {{env.TOTP_SECRET}}
  • Re-extract the token from the QR code if copied incorrectly

Code not accepted by the application

Common causes:
  • Time mismatch: Test runner clock differs from server time
  • Wrong secret: Token doesn’t match the one configured in the app
  • Expired code: Long delays between generation and submission (check for slow steps or waits)
Fix:
  • Verify system time is accurate on your test runner
  • Re-setup 2FA in the application to get a fresh token
  • Check if the app uses a non-standard interval (some use 60 seconds instead of 30)

Environment variable not resolving

The step shows {{env.TOTP_SECRET}} literally instead of the value. Fix:
  • Ensure the variable exists in the environment selected for the test run
  • Variable names are case-sensitive, confirm exact match
  • Check the variable has a value assigned (not blank)

Multiple accounts generate the same code

Each account must have its own secret token. The step only generates different codes if given different secrets. Fix:
  • Create separate environment variables: ADMIN_TOTP_SECRET, USER_TOTP_SECRET
  • Use the correct variable for each account’s Get TOTP Code step
  • Verify each step stores to a different variable: supatest_totp_0, supatest_totp_1
  • Fill: Enter the generated code into 2FA input fields
  • Navigate: Navigate to 2FA setup pages
  • Run Python: Complex token handling or custom TOTP logic
  • API Request: Fetch TOTP secrets dynamically from APIs
  • Check Email: Alternative verification via email codes
I