Skip to content

Instantly share code, notes, and snippets.

@StevenACoffman

StevenACoffman/oktaverify2totp.md

Forked from kamilhism/oktaverify2totp.md
Created February 19, 2026 00:01
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save StevenACoffman/1b932d4212814596071ca1cfcb366fdc to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save StevenACoffman/1b932d4212814596071ca1cfcb366fdc to your computer and use it in GitHub Desktop.
Download ZIP
Get TOTP secret key for Okta Verify
Raw
oktaverify2totp.md
  1. Get the content of the QR for Okta Verify app setup. It looks like this: oktaverify://email@domain.com/?t=XXXXX&f=YYYYY&s=https://DOMAIN.okta.com&issuer=DOMAIN.okta.com&isIdxEnabled=true
  2. Replace XXXXX, YYYYY and DOMAIN to your values in curl below:
curl --request POST \
  --url https://DOMAIN.okta.com/idp/authenticators \
  --header 'Accept: application/json; charset=UTF-8' \
  --header 'Accept-Encoding: gzip, deflate' \
  --header 'Authorization: OTDT XXXXX' \
  --header 'Content-Type: application/json; charset=UTF-8' \
  --header 'User-Agent: D2DD7D3915.com.okta.android.auth/6.8.1 DeviceSDK/0.19.0 Android/7.1.1 unknown/Google' \
  --data '{
	"authenticatorId": "YYYYY",
	"device": {
		"clientInstanceBundleId": "com.okta.android.auth",
		"clientInstanceDeviceSdkVersion": "DeviceSDK 0.19.0",
		"clientInstanceVersion": "6.8.1",
		"clientInstanceKey": {
			"alg": "RS256",
			"e": "AQAB\n",
			"okta:isFipsCompliant": false,
			"okta:kpr": "SOFTWARE",
			"kty": "RSA",
			"use": "sig",
			"kid": "OpSRC6wLx4oPnqGBUuLz-WL7_knbK_UhClzjvt1cpOw",
			"n": "u0Y1ygDJ61AghDiEqeGW7lCv4iW2gLOON0Aw-Tm53xQW7qB94MUNVjua8KuYyxS-1pxf58u0pCpVhQxSgZJGht5Z7Gmc0geVuxRza3B_TFLd90SFlEdE3te6IkH28MqDu2rQtonYowVedHXZpOii6QBLPjqP6Zm3zx9r7WokpSvY9fnp8zjixuAUuA0XYhv6EwedfvSiz3t84N-nV0R1cN5Ni8os6sG4K6F8ZSr7E4aXTzvOfJIWa9MC1Lx_J4M7HIUuUH7LV7PN_h5yYk8b-2fW4g3_3h13mQ-blx2qMXclr6uuBc13tLLks7LzY3S34y2K060gHMMWCM4MQ77Mrw"
		},
		"deviceAttestation": {},
		"displayName": "1Password",
		"fullDiskEncryption": false,
		"isHardwareProtectionEnabled": false,
		"manufacturer": "unknown",
		"model": "Google",
		"osVersion": "25",
		"platform": "ANDROID",
		"rootPrivileges": true,
		"screenLock": false,
		"secureHardwarePresent": false
	},
	"key": "okta_verify",
	"methods": [
		{
			"isFipsCompliant": false,
			"supportUserVerification": false,
			"type": "totp"
		}
	]
}'
  1. Send this request and get sharedSecret value from the response. This is your TOTP secret key. Paste it to the corresponding app (e.g. 1Password) and enjoy!

Notes:

  • This request creates a new device named "1Password" in https://DOMAIN.okta.com/enduser/settings in "Security Methods" block
  • If it returns invalid session error, probably your QR's content is expired
  • If it returns 400 and complains to clientInstanceKey, try to replace kid and n to values from https://DOMAIN.okta.com/oauth2/v1/keys
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment