ShareOTP
Sign inStart for free

Security

Security that protects shared TOTP access.

ShareOTP is built to keep TOTP secrets encrypted and ensure only approved teammates can view time-based codes. Admins control access, audit activity, and retention from a single workspace.

Last updated: February 1, 2026

Encrypted secrets

TOTP seeds are encrypted at rest with AES-256-GCM, and encryption keys are stored outside the database.

Role-based access

Admins manage accounts and permissions while members only see the codes they are explicitly granted.

Audit-ready activity

Every sensitive action is recorded with time, actor, and request context for review.

Secret handling

ShareOTP keeps secrets protected while still enabling fast code access for approved teammates.

  • Secrets are encrypted at rest using AES-256-GCM and never appear in logs.
  • TOTP codes are generated server-side and only time-based codes are returned to authorized users.
  • QR code decoding happens in the browser during import, so QR images are never uploaded.
  • Admin-only secret exports are explicit and audited for accountability.

Access controls

Access is scoped by role and explicit permissions to enforce least privilege.

  • Admins can create accounts, manage permissions, and invite teammates by email.
  • Members only see codes for accounts they are explicitly granted.
  • Invite links expire after 7 days and can be revoked at any time.
  • Permission changes are logged for auditability.

Audit logs and retention

We log sensitive events so teams can review activity and investigate incidents.

  • Logins, code views and copies, account changes, and access grants are recorded.
  • Logs include actor, timestamp, and request context such as IP address and user agent.
  • Retention varies by plan, and older logs are automatically deleted.
  • Admins can review audit history directly from the Admin menu.

Application safeguards

ShareOTP includes multiple layers of protection against common web threats.

  • CSRF protection and same-origin checks protect state-changing requests.
  • Login attempts are rate-limited to reduce brute-force risk.
  • Email verification is required before new workspaces become active.

Your controls

You stay in control of your workspace with tools to respond quickly to change.

  • Revoke access instantly by removing permissions or deleting accounts.
  • Rotate or replace secrets whenever providers require it.
  • Export secrets as an admin for backup or recovery with an audit trail.

Questions or security concerns?

Reach our team at [email protected] for help with security reviews or incident response.