Your agent can
handle 2FA.
Store TOTP seeds and generate 6-digit codes on demand. Combined with email-based verification — your agent has an inbox — agents complete any authentication flow autonomously.
6-digit
Code generation
30s
Rotation window
Email+TOTP
Dual 2FA support
TOTP generation
const API = "https://api.mailgent.dev/v0"
const headers = {
"Authorization": "Bearer mgent-a3f91b00...",
"Content-Type": "application/json",
}
// PUT /v0/vault/:name — Store a credential with TOTP secret
await fetch(`${API}/vault/github-login`, {
method: "PUT",
headers,
body: JSON.stringify({
type: "LOGIN",
data: {
username: "agent-sales",
password: "s3cur3-p@ss",
secret: "JBSWY3DPEHPK3PXP", // TOTP seed from QR code
},
}),
})
// GET /v0/vault/:name/totp — Generate current 6-digit code
const { code, remaining } = await fetch(
`${API}/vault/github-login/totp`,
{ headers }
).then(r => r.json())
console.log(code) // "349281"
console.log(remaining) // 18 (seconds until next code)Email-based 2FA flow
// Agent signs up for a service using its own email
await browser.fill("email", "sales-x8k2m@mailgent.dev")
await browser.submit()
// Service sends verification code to agent's inbox
await new Promise(r => setTimeout(r, 5000))
// GET /v0/messages?labels=unread — Read the verification email
const { messages } = await fetch(
`${API}/messages?labels=unread&limit=1`,
{ headers }
).then(r => r.json())
// extractedText strips noise — just the verification content
const verificationCode = messages[0].extractedText.match(/\d{6}/)?.[0]
// Complete verification
await browser.fill("code", verificationCode)
await browser.submit()
// PUT /v0/vault/:name — Store the new service credentials
await fetch(`${API}/vault/new-service-login`, {
method: "PUT",
headers,
body: JSON.stringify({
type: "LOGIN",
data: {
username: "sales-x8k2m@mailgent.dev",
password: generatedPassword,
},
}),
})What's included.
TOTP code generation
Store the TOTP seed once during setup. Generate valid 6-digit codes on demand via a single API call. Supports standard SHA-1 and SHA-256 algorithms with configurable digit count and rotation period. Codes are RFC 6238 compliant.
Email-based 2FA
When a service sends a verification code to your agent's inbox, the agent reads the message via the Inbox API, extracts the code from the clean extractedText field, and completes the verification flow. No human forwarding, no copy-pasting.
Autonomous service registration
Agent signs up for a new service using its own email address, receives the verification email, extracts the code, completes signup, enables 2FA, scans the TOTP QR seed, and stores everything in the Vault. End-to-end autonomous account creation.
Seeds never exposed
TOTP seeds are stored with AES-256-GCM encryption and are never returned via the API or visible in the console. Only the time-limited 6-digit codes are accessible — and they expire in 30 seconds. Even if an API key is compromised, seeds remain protected.
Remaining time awareness
Every TOTP response includes a remaining field showing how many seconds until the current code expires. Your agent can decide whether to use the current code or wait 2 seconds for a fresh one — avoiding failed logins from near-expiry codes.
MCP integration
Generate TOTP codes directly from Claude Desktop, Cursor, or any MCP client using the vault.totp tool. Combined with vault.get for credentials, MCP-connected AI clients can complete full login flows including 2FA without writing API calls.
Use cases.
How agents use TOTP to operate autonomously on 2FA-protected services.
Third-party service login
Agent logs into GitHub, AWS Console, Salesforce, or any 2FA-protected service by retrieving stored credentials from Vault and generating a fresh TOTP code. Complete login flows including multi-factor authentication — fully autonomous.
Account provisioning at scale
Spin up agents that register on platforms, verify their email, enable 2FA, and store all credentials securely. Onboard your AI workforce to dozens of services without a human touching each signup flow manually.
Security-compliant automation
Many enterprise tools require 2FA for API and console access. TOTP ensures your agents meet security policies without requiring human intervention for every login. Maintain compliance while staying fully autonomous.
Regulated portal access
Agents access government portals, compliance platforms, and regulated services that mandate 2FA. Generate codes on demand, log in, check filing status, download documents, and report back — all without human handholding.
Financial platform access
Access banking APIs, payment dashboards, and financial tools that require 2FA for sensitive operations. Agent authenticates with TOTP, performs the transaction or data retrieval, and logs out — with full audit trail.
Recovery & re-authentication
When sessions expire or services force re-authentication, agents handle it automatically. No alerts to humans, no stale sessions, no broken workflows. The agent re-authenticates with fresh TOTP codes and continues working.
The superpower
Inbox + Vault + TOTP = complete auth autonomy.
No other platform gives agents this combination. Mailgent agents have a real email address (for email-based verification and 2FA), encrypted credential storage (for passwords and API keys), AND TOTP code generation (for authenticator-based 2FA). Your agent can sign up for a service, verify its email, enable 2FA, store the TOTP seed, and log in autonomously from that point forward. Every authentication flow a human with a phone could handle — your agent handles it too.