The latest articles on Forem by Kumar Sahil (@krsahil8825). https://forem.com/krsahil8825 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3807782%2F43958f18-65b1-4231-8543-6415b05c5b70.jpg https://forem.com/krsahil8825 en Kumar Sahil Wed, 06 May 2026 11:25:19 +0000 https://forem.com/krsahil8825/adding-totp-based-2fa-to-django-rest-framework-with-django-totp-4ga7 https://forem.com/krsahil8825/adding-totp-based-2fa-to-django-rest-framework-with-django-totp-4ga7 <p>Two-factor authentication (2FA) is becoming a standard requirement for modern applications, especially for APIs that use JWT authentication or separate frontend/backend architectures.</p> <p>While working on Django REST Framework projects, I wanted a lightweight and API-focused way to add TOTP authentication without depending heavily on template-based flows or admin integrations.</p> <p>So I built <code>django-totp</code>.</p> <p>It is a reusable Django package that provides:</p> <ul> <li>TOTP enrollment</li> <li>QR generation</li> <li>backup recovery codes</li> <li>encrypted secret storage</li> <li>DRF endpoints</li> <li>helper utilities for multi-step authentication flows</li> </ul> <p>PyPI: django-totp</p> <h2> Requirements </h2> <ul> <li>Python 3.12+</li> <li>Django 5.0+</li> <li>Django REST Framework 3.15+</li> </ul> <h2> Installation </h2> <p>Install the package from PyPI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>django-totp </code></pre> </div> <p>Add the apps to your Django settings:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">INSTALLED_APPS</span> <span class="o">=</span> <span class="p">[</span> <span class="c1"># Django apps... </span> <span class="sh">"</span><span class="s">rest_framework</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">django_totp</span><span class="sh">"</span><span class="p">,</span> <span class="p">]</span> </code></pre> </div> <h2> Configure the Encryption Key </h2> <p>TOTP secrets and backup codes are stored using Fernet encryption.</p> <h3> Generate a key once </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python <span class="nt">-c</span> <span class="s2">"from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"</span> </code></pre> </div> <h3> Add it to your environment </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>TOTP_ENCRYPTION_KEY=your-generated-key </code></pre> </div> <h3> Load it in Django settings </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span> <span class="n">TOTP_ENCRYPTION_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">TOTP_ENCRYPTION_KEY</span><span class="sh">"</span><span class="p">]</span> </code></pre> </div> <h3> Include the URLs </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">django.urls</span> <span class="kn">import</span> <span class="n">include</span><span class="p">,</span> <span class="n">path</span> <span class="n">urlpatterns</span> <span class="o">=</span> <span class="p">[</span> <span class="nf">path</span><span class="p">(</span><span class="sh">"</span><span class="s">api/</span><span class="sh">"</span><span class="p">,</span> <span class="nf">include</span><span class="p">(</span><span class="sh">"</span><span class="s">django_totp.urls</span><span class="sh">"</span><span class="p">)),</span> <span class="p">]</span> </code></pre> </div> <h3> Run migrations: </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python manage.py migrate </code></pre> </div> <h2> Available Endpoints </h2> <p>The package provides endpoints for the full enrollment lifecycle.</p> <h3> Create Enrollment </h3> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">POST /api/totp/create/ </span></code></pre> </div> <p>Creates a TOTP secret and returns an SVG QR code.</p> <p>Example response:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"svg"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;svg ...&gt;...&lt;/svg&gt;"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Confirm Enrollment </h3> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">POST /api/totp/confirm/ </span></code></pre> </div> <p>Request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"input_code"</span><span class="p">:</span><span class="w"> </span><span class="s2">"123456"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Successful confirmation returns backup recovery codes.</p> <h3> Disable TOTP </h3> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">POST /api/totp/disable/ </span></code></pre> </div> <p>Disables TOTP and removes backup codes.</p> <h3> Rotate Backup Codes </h3> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">POST /api/totp/rotate_backup_codes/ </span></code></pre> </div> <p>Generates a new backup code set.</p> <h2> Example Login Flow </h2> <p>A common authentication flow looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Validate username/password 2. Check whether the user has TOTP enabled 3. Issue a temporary challenge token 4. Ask for TOTP or backup code 5. Verify the code 6. Issue final JWT/session </code></pre> </div> <p>The package includes helper utilities for this flow.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">django_totp.auth</span> <span class="kn">import</span> <span class="p">(</span> <span class="n">generate_challenge_token</span><span class="p">,</span> <span class="n">is_totp_enabled</span><span class="p">,</span> <span class="p">)</span> <span class="kn">from</span> <span class="n">django_totp.totp</span> <span class="kn">import</span> <span class="n">verify_totp_code</span> </code></pre> </div> <h2> Other Utilities </h2> <p>Useful helpers you can import directly:</p> <ul> <li>django_totp.auth <ul> <li>is_totp_enabled(user)</li> <li>generate_challenge_token(user)</li> <li>verify_challenge_token(token)</li> <li>get_user_from_challenge_token(token)</li> </ul> </li> <li>django_totp.totp <ul> <li>generate_totp_secret()</li> <li>verify_totp_code(user, input_code)</li> <li>create_totp_setup(user)</li> <li>confirm_totp_setup(user, input_code)</li> <li>disable_totp(user)</li> </ul> </li> <li>django_totp.backup_code_utils <ul> <li>store_backup_codes(user, codes)</li> <li>verify_backup_code(user, input_code)</li> <li>rotate_backup_codes(user)</li> </ul> </li> <li>django_totp.encryption <ul> <li>generate_fernet_key()</li> <li>resolve_fernet_key(default=None)</li> <li>encrypt(value)</li> <li>decrypt(value)</li> </ul> </li> </ul> <h2> Features </h2> <p>The package currently includes:</p> <ul> <li>Encrypted TOTP secret storage</li> <li>QR generation for authenticator apps</li> <li>Backup code generation and rotation</li> <li>One-time-use backup code validation</li> <li>DRF integration</li> <li>Configurable issuer name</li> <li>Endpoint throttling support</li> <li>Signed temporary challenge tokens</li> </ul> <h2> Why I Built It </h2> <p>Many existing Django 2FA solutions are designed primarily for server-rendered applications.</p> <p>I wanted something focused more on:</p> <ul> <li>DRF APIs</li> <li>JWT authentication flows</li> <li>SPA/mobile frontends</li> <li>reusable API endpoints</li> </ul> <p>The goal was to keep the package relatively lightweight while still covering common 2FA requirements.</p> <h2> Project Links </h2> <ul> <li>PyPI: <a href="https://pypi.org/project/django-totp/" rel="noopener noreferrer">https://pypi.org/project/django-totp/</a> </li> <li>GitHub: <a href="https://github.com/krsahil8825/django-totp" rel="noopener noreferrer">https://github.com/krsahil8825/django-totp</a> </li> </ul> <p>Feedback, issues, and contributions are welcome.</p> webdev django python opensource