TOTP codes
A TOTP enrollment lets kovra custody the shared seed behind a time-based one-time-password (the 2FA codes from an authenticator app) and produce the current 6-digit code on demand. The seed is sealed like any other secret and is never revealed — only the derived code is ever printed.
Enroll a seed
Section titled “Enroll a seed”kovra add --totp reads a seed from a hidden prompt or stdin — a base32 string or
a full otpauth:// URI. It never touches argv:
~ % kovra add secret:dev/app/totp --totpAdded dev/app/totp (Medium).Windows — coming soon. The same model on Windows Hello + Credential Manager.
In the vault listing the entry shows a typed mode of
totp:<algorithm> (e.g. totp:sha1) rather than literal, so you can tell at a
glance it’s an enrollment and not a raw value.
Produce a code
Section titled “Produce a code”kovra code prints the current code for an enrollment — and only the code, never
the seed:
~ % kovra code secret:dev/app/totp278165Windows — coming soon. The same model on Windows Hello + Credential Manager.
Producing a code is treated like a reveal: for a high or prod enrollment you
must bioProve it and it’s
audited; low/medium print directly.
Scripting
Section titled “Scripting”When a script needs a code that won’t expire mid-use, --min-validity (-m)
guarantees the returned code has more than N seconds of life left, and forces
plain non-interactive output (the bare code, no countdown):
~ % kovra code secret:dev/app/totp -m 5278165Windows — coming soon. The same model on Windows Hello + Credential Manager.
If the current window has fewer than N seconds left, kovra waits for the next window and returns that code instead — so the value you get is always usable.