๐—๐€๐ˆ ๐‘๐จ๐ฎ๐ญ๐ž๐ซ

X-TOTP Two-Factor Vault

Overview

X-TOTP is XAPI's enterprise-grade Time-based One-Time Password (TOTP) vault designed for teams that need centralized control over all two-factor secrets. Every secret is encrypted with a per-account master key, while the browser UI delivers drag-and-drop QR parsing, automatic otpauth:// detection, live countdown refresh, and export/import flowsโ€”no extensions required.

Quick Start

  1. Visit https://totp.xabcstack.com and sign in with your sk- prefixed XAPI private key.
  2. Click Add Token to enter a secret manually or upload a QR image.
  3. The resulting token card displays a six-digit code, a remaining-time ring, and a one-click copy button.
  4. Use the top-right export button to download an encrypted JSON backup, or import a token list exported from other authenticators.

Key Capabilities

  • Master-key encryption: Each account owns a dedicated encryption key; exported backups remain encrypted for safe offline storage.
  • QR decoding: Drag or upload QR images and X-TOTP reads otpauth:// payloads to prefill issuer/account/secret.
  • Bulk import/export: GET /x-totp/export and POST /x-totp/import make migrations effortless between platforms.
  • Live countdown: The front end keeps in-sync progress rings and refreshes codes when cycles resetโ€”no constant server polling.
  • Event-driven cleanup: When an account is disabled or deleted inside XAPI, its tokens are removed automatically for compliance.

API Reference

MethodPathDescription
GET/x-totpList all tokens with live codes and remaining seconds
POST/x-totpCreate a token with name and BASE32 secret
DELETE/x-totp/{id}Remove a token by ID
GET/x-totp/exportExport all tokens as an encrypted JSON backup
POST/x-totp/importImport tokens from a backup JSON

All endpoints require Authorization: Bearer <sk-...> headers.

Example: Create and Back Up a Token

export XAPI_KEY="your-xapi-key" # sk- prefixed key

# Create a new TOTP token
curl -X POST https://api.xabcstack.com/x-totp \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $XAPI_KEY" \
  -d '{
      "name": "GitHub (team-bot)",
      "secret": "JBSWY3DPEHPK3PXP"
    }'

# Export all tokens to a local backup file
curl -X GET https://api.xabcstack.com/x-totp/export \
  -H "Authorization: Bearer $XAPI_KEY" \
  -o totp-backup.json

FAQ

  • Team collaboration? Each XAPI account owns an isolated token vault. Share the sk- key within your secure process or integrate the APIs into your internal permission system for delegated access.
  • Import formats? Standard otpauth:// URIs or JSON objects containing name/secret fields import directly without transformation.
  • Secret protection? The service stores only encrypted secrets; exported files retain the encrypted payload so you can archive them in password managers or secure vaults.