TOTP
Time-based one-time password — the six-digit code an authenticator app generates from a shared secret and the current time, used as a second factor at login.
TOTP stands for time-based one-time password. It's the rotating six-digit code an authenticator app shows you — derived from a secret shared at setup and the current time, so it changes every 30 seconds and can't be reused.
It's the most common second factor for logins. For an AI agent to get past a 2FA gate, it needs to hold that secret and generate the current code on demand.
How TOTP works
At setup, a service shares a secret (often as a QR code). Both sides hash that secret together with the current time window to produce the same six-digit code. The server accepts the code if it matches its own computation for the current window.
Because the code depends on the clock, it expires quickly and offers no value to an attacker after the window passes.
TOTP for agents
Mailgent's vault stores the TOTP secret encrypted and generates valid codes when the agent calls vault_totp — so an agent can complete logins protected by an authenticator app without a phone. Backup codes are stored too, for recovery paths.
// store the secret once at setup
await vault_store({ key: "acme-login", totpSecret: "JBSWY3DPEHPK3PXP" });
// generate the current code at the 2FA gate
const code = await vault_totp({ key: "acme-login" }); // -> "402913"FAQ
Is TOTP the same as SMS codes?
No. TOTP is generated locally from a secret and the clock; SMS codes are sent over the network. TOTP is generally more secure.
Can an agent use TOTP safely?
Yes. The secret stays encrypted in the vault, and the agent only retrieves generated codes through a scoped call.
Give your agent an inbox.
A real email address, a vault, 2FA, and an identity in one API call.