Get TOTP Code

​

Overview

Generate TOTP codes for testing two-factor authentication flows. The step creates valid 6-digit codes that refresh every 30 seconds, automatically waits if a code is about to expire, and stores the result in a variable for use in subsequent steps like Fill.

​

Setting Up Your Secret Token

Before adding this step, obtain your TOTP secret from the application you’re testing.

​

If the application shows a text token

1. Navigate to your app’s 2FA or security settings
2. Look for “Manual Entry” or “Can’t scan QR code?”
3. Copy the secret token (usually looks like JBSWY3DPEHPK3PXP)
4. Store it as an environment variable in Supatest

​

If only a QR code is shown

1. Screenshot the QR code during 2FA setup
2. Use Token2 QR Decoder to extract the secret
3. Copy the extracted token
4. Store it as an environment variable in Supatest

​

Store the token securely

Recommended approach:

1. Go to your Supatest environment settings
2. Create a new variable (e.g., TOTP_SECRET)
3. Set the type to secret so the value is masked
4. Paste your token as the value
5. Reference it in the step as {{env.TOTP_SECRET}}

This keeps tokens out of test code and allows different values per environment (dev, staging, production).

​

Using the Step

Add the Get TOTP Code step after actions that trigger 2FA (like clicking “Log In”). The form has two fields:

• Secret Token: Enter {{env.TOTP_SECRET}} or paste a token directly (not recommended for security)
• Variable: Auto-generated name like supatest_totp_0 that stores the 6-digit code

The step automatically handles timing. If fewer than 15 seconds remain in the current 30-second window, it waits for a fresh code so subsequent steps have enough time to use it.

​

Token format flexibility

The step accepts various formats and automatically cleans them:

• Plain: JBSWY3DPEHPK3PXP
• Spaces: JBSW Y3DP EHPK 3PXP
• Dashes: JBSW-Y3DP-EHPK-3PXP
• Lowercase: jbswy3dpehpk3pxp

All are sanitized to uppercase base32 (letters A-Z and digits 2-7).

​

Response Format

When the Get TOTP Code step executes, it generates a 6-digit numeric code and stores it as a string in the specified variable.

​

Generated Value

Variable name: supatest_totp_0 (auto-generated) Stored value: "123456" (example - actual code changes every 30 seconds)

​

Accessing the TOTP Code

In Fill steps:

• Enable “Use variables” toggle
• Select the TOTP variable: ${supatest_totp_0}
• The 6-digit code will be entered into the field

In expressions:

• Reference as: ${vars.supatest_totp_0}
• Or: testVars['supatest_totp_0']

In API requests:

• Include in body: {"code": "${supatest_totp_0}"}
• Include in headers: Authorization: TOTP ${supatest_totp_0}

​

Example Values

The step generates standard 6-digit TOTP codes like:

• "042891"
• "738291"
• "000123"
• "999887"

Note: Leading zeros are preserved in the string value.

​

Multiple TOTP Steps

If you use multiple Get TOTP Code steps in a test (e.g., for different accounts), each creates a unique variable:

1. First step: supatest_totp_0 → "123456"
2. Second step: supatest_totp_1 → "789012"
3. Third step: supatest_totp_2 → "345678"

Each code is valid for at least 15 seconds after generation.

​

Example: Login with 2FA

Goal: Automate a complete login flow including two-factor authentication.

1. Fill → Email field with [email protected]
2. Fill → Password field with {{env.TEST_PASSWORD}}
3. Click → Login button
4. Get TOTP Code → Secret Token: {{env.TOTP_SECRET}}
5. Fill → 2FA code field with {{vars.supatest_totp_0}}
6. Click → Verify button

The generated code is valid for at least 15 seconds after step 4 completes, giving steps 5 and 6 time to run.

​

Best Practices

Security:

• Always store tokens in environment variables marked as secrets
• Use separate test accounts for automation, not real user accounts
• Rotate tokens periodically and store backup codes separately

Reliability:

• Let the step handle timing; don’t add manual waits
• Verify time synchronization if codes are consistently rejected
• Use descriptive variable names for multiple accounts (e.g., ADMIN_TOTP_SECRET, USER_TOTP_SECRET)

Variable usage:

• Each step creates a unique variable: supatest_totp_0, supatest_totp_1, etc.
• Reference them in Fill steps via {{vars.supatest_totp_0}}
• Codes remain valid for at least 15 seconds after generation

​

Troubleshooting

​

”Secret token is empty after sanitization”

The token contains invalid characters. TOTP secrets must be base32 (A-Z and 2-7). Fix:

• Check the environment variable is set correctly
• Verify no typos in {{env.TOTP_SECRET}}
• Re-extract the token from the QR code if copied incorrectly

​

Code not accepted by the application

Common causes:

• Time mismatch: Test runner clock differs from server time
• Wrong secret: Token doesn’t match the one configured in the app
• Expired code: Long delays between generation and submission (check for slow steps or waits)

Fix:

• Verify system time is accurate on your test runner
• Re-setup 2FA in the application to get a fresh token
• Check if the app uses a non-standard interval (some use 60 seconds instead of 30)

​

Environment variable not resolving

The step shows {{env.TOTP_SECRET}} literally instead of the value. Fix:

• Ensure the variable exists in the environment selected for the test run
• Variable names are case-sensitive, confirm exact match
• Check the variable has a value assigned (not blank)

​

Multiple accounts generate the same code

Each account must have its own secret token. The step only generates different codes if given different secrets. Fix:

• Create separate environment variables: ADMIN_TOTP_SECRET, USER_TOTP_SECRET
• Use the correct variable for each account’s Get TOTP Code step
• Verify each step stores to a different variable: supatest_totp_0, supatest_totp_1

​

Related Steps

• Fill: Enter the generated code into 2FA input fields
• Navigate: Navigate to 2FA setup pages
• Run Python: Complex token handling or custom TOTP logic
• API Request: Fetch TOTP secrets dynamically from APIs
• Check Email: Alternative verification via email codes