The otpauth URI Scheme

Internet-Draft	otpauth-uri	February 2026
Escobar	Expires 23 August 2026	[Page]

Abstract

This document defines syntax and processing rules for the otpauth: URI scheme used to provision one-time-password (OTP) credentials (verification codes).¶

This document defines a common baseline for interoperability, including issuer handling rules that improve account matching while maintaining compatibility with existing deployments.¶

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶

This Internet-Draft will expire on 23 August 2026.¶

Copyright Notice

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶

1. Introduction

The otpauth: URI scheme is used to transfer OTP configuration, including a shared secret and related parameters, into OTP clients. The scheme is currently registered with IANA as a provisional URI scheme [URI-SCHEMES].¶

Current ecosystem behavior is primarily described by vendor documentation, including Google's otpauth key URI format [GOOGLE-KEYURI] and Apple's verification code guidance [APPLE-VERIFICATION-CODES]. Those documents are largely aligned, but differ on semantics for issuer information.¶

This document defines interoperable behavior for URI producers and consumers, with emphasis on reliable account association in modern password managers.¶

2. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶

This specification uses the Augmented Backus-Naur Form (ABNF) notation defined in [RFC5234].¶

This specification uses the OTP concepts from [RFC4226] and [RFC6238]. In this document, secret, issuer, and account identify credential attributes associated with HOTP and TOTP methods.¶

The term URI is imported from [RFC3986]. Mentions of "query string" in this document refer to the URI query component defined in Section 3.4 of [RFC3986].¶

The Base16, Base32, and Base64 data encodings referenced in this document are from [RFC4648].¶

The terms "producer" and "consumer" are used throughout:¶

A producer creates an otpauth: URI.¶
A consumer parses and imports an otpauth: URI.¶

3. URI Format

An otpauth: URI uses this general form:¶

otpauth://<type>/<label>?<parameters>

where <type> identifies the OTP algorithm family and <parameters> contains URL query parameters.¶

3.1. Syntax

The syntax is defined using ABNF from [RFC5234] and URI productions from [RFC3986].¶

uri = "otpauth://" otp-type "/" label "?" parameter
      *( "&" parameter )

otp-type = "totp" / "hotp"

label = issuer-label ( ":" / "%3A" ) *"%20" account
        / issuer-label