Authenticator API.com

An API for Google Authenticator

Pair Validate

Demo code

To use Google Authenticator as a two-factor authentication method, you must first pair with the user's Google Authenticator App, by displaying a QR code to them. This QR code is generated using a secret code that only you know. When the user logs in, they must enter the code displayed on their authenticator app, which you validate against the secret code used earlier.

You can use the web service to pair, or call "https://www.authenticatorApi.com/pair.aspx" with the following parameters:

  • AppName - Your application name, something brief, but recognizable
  • AppInfo - Typically the user's name
  • SecretCode - A secret code that only you know

Example: 
https://www.authenticatorApi.com/pair.aspx?AppName=MyApp&AppInfo=John&SecretCode=12345678BXYT

You can use the web service to validate a pin, or call "https://www.authenticatorApi.com/Validate.aspx" with the following parameters:

  • Pin - The user's pin
  • SecretCode - The secret code used using Pairing

Example: 
https://www.authenticatorApi.com/Validate.aspx?Pin=123456&SecretCode=12345678BXYT

What is Two-Factor Authentication (2FA)?

Two-factor authentication (2FA) is a security mechanism that requires users to provide two separate forms of verification before gaining access to an account or system. The first factor is typically something the user knows — such as a password — while the second factor is something the user possesses, such as a time-sensitive code generated by an authenticator app.

By requiring both factors, 2FA dramatically reduces the risk of unauthorised access, even if a user’s password has been compromised. Authenticator app-based 2FA is considered significantly more secure than SMS-based alternatives, which are vulnerable to SIM-swapping and interception attacks.

What is TOTP?

TOTP stands for Time-based One-Time Password, the open standard (defined in RFC 6238) that underpins Google Authenticator, Authy, Microsoft Authenticator, and most other authenticator apps.

A TOTP code is derived from a shared secret key and the current Unix timestamp, producing a new 6-digit code every 30 seconds. Because codes expire rapidly and the shared secret never travels over the network during login, TOTP is highly resistant to phishing and replay attacks. The algorithm is an open standard, meaning any compliant implementation — including this API — is fully interoperable with Google Authenticator and other TOTP-compatible apps.

About This API

AuthenticatorAPI.com provides a simple, free, hosted REST API that allows developers to add Google Authenticator-compatible two-factor authentication to any application, regardless of programming language or platform.

There are no SDKs to install and no libraries to manage — just standard HTTP GET requests. The API exposes two core operations:

Pairing
Generates a QR code that the user scans with their Google Authenticator app. The QR code encodes your application name, a user identifier, and a shared secret that you supply. Once scanned, the authenticator app begins generating TOTP codes tied to that secret.
Validation
Verifies that a 6-digit PIN entered by a user matches the expected TOTP value for a given secret at the current moment in time. The API handles the time-window logic, accepting codes from a small interval around the current 30-second window to account for clock drift.

How It Works

Integrating Google Authenticator into your app takes just a few steps:

  1. When a user opts in to 2FA, your application calls the Pair endpoint with your app name, a user identifier, and a secret code that you generate and store securely.
  2. The API returns a QR code image URL that you display to the user.
  3. The user opens their Google Authenticator app, taps the + button, and scans the QR code.
  4. From that point on, whenever the user logs in, they enter the 6-digit code currently shown in their authenticator app.
  5. Your application calls the Validate endpoint with the entered PIN and the original secret code.
  6. The API returns true or false — and you grant or deny access accordingly.

Use Cases

AuthenticatorAPI.com is suitable for any scenario where you need to add a second layer of authentication without building TOTP logic from scratch.

Web Applications

Protect admin panels, customer accounts, or sensitive data with a simple API call during login.

Internal Tools

Add 2FA to internal dashboards or employee portals without complex infrastructure or dependencies.

Legacy Systems

Retrofit two-factor authentication onto existing systems that don’t natively support it.

Rapid Prototyping

Add working 2FA to a prototype in minutes using any language that can make HTTP GET requests.

Security Considerations

When implementing two-factor authentication, keep the following best practices in mind:

  • Keep your secret codes secure. The secret code used during pairing should be stored in your database in encrypted form and never exposed to the client or included in client-side code.
  • Use HTTPS. Always call the API over HTTPS to prevent the secret code from being intercepted in transit.
  • Generate unique secrets per user. Each user should have their own randomly generated secret code, so that a compromise of one account does not affect others.
  • The API is stateless. AuthenticatorAPI.com does not store your secret codes. They are used transiently during each request to generate or validate a TOTP value and are never logged or persisted.
  • Use a cryptographically random secret. Generate your secret codes using a secure random number generator. A Base32-encoded string of at least 16 characters is recommended for adequate entropy.

Open Source

The full source code for this API is available on GitHub. You are welcome to inspect the implementation, self-host it, or contribute improvements. The codebase serves as a useful reference for anyone wanting to understand how TOTP generation and validation works in practice, and is freely available under an open licence.