Glewlwyd OTP Schema documentation

Single Sign On server, OAuth2, Openid Connect, multiple factor authentication with, HOTP/TOTP, FIDO2, TLS Certificates, etc. extensible via plugins

Glewlwyd OTP Schema documentation

License: CC BY 4.0


The OTP Schema implements authentication based on One-Time-Password using OATH standard defined in HOTP and TOTP.


In the administration page, go to Parameters/Authentication schemes and add a new scheme by clicking on the + button. In the modal, enter a name and a display name (the name must be unique among all authentication scheme instances), and a scheme session expiration in seconds. Select the type HOTP/TOTP in the Type drop-down button.

Below is the definition of all parameters.


Name (identifier) of the scheme, must be unique among all the scheme instances, even of a different type.

Display name

Name of the instance displayed to the user.

Expiration (seconds)

Number of seconds to expire a valid session.

Max use per session (0: unlimited)

Maximum number of times a valid authentication with this scheme is possible. This is an additional parameter used to enforce the security of the session and forbid to reuse this session for other authentications.

Allow users to register

If this option is unchecked, only administrator can register this scheme for every user via the administration page.


Address of the issuer of the OTP settings, i.e. the address of the webservice hosting Glewlwyd.

Secret minimum size

Size of the secret shared between the user and the server to authenticate the user. Minimum 16 bytes.

Code length

Length of the code that must be sent by the user, must be between 6 and 10, 6 or 8 is recommended.


Allow users to register an HOTP code.

HOTP window

Window validity of the HOTP code.


Allow users to register an TOTP code.

TOTP window

Window validity of the TOTP code in seconds.

Start offset

Start offset of the TOTP code related to Unix EPOCH time.