README

A PHP library for generating and verifying Time-Based One-Time Passwords (TOTP). Compatible with Google Authenticator and similar apps, with features like secret generation, QR code creation, and OTP verification.

Purpose & Intention

With the increasing demand for security, more and more websites and applications are adopting two-factor authentication (2FA) to protect user accounts. Google Authenticator is one of the most common 2FA applications, using time-based one-time passwords (TOTP) to ensure security.

During the implementation of Google Authenticator, I found that many PHP libraries on the market are feature-rich but relatively complex. These libraries not only support TOTP authentication but often include additional functionalities such as user management and complicated configuration options. For many developers, these features can be too large, and often, we only need to accomplish a few simple tasks:

• Generate a TOTP secret;
• Generate a QR code for the user to scan;
• Verify the code entered by the user.

Therefore, I created the hejunjie/google-authenticator library to provide a lightweight and simple solution. If you just need to quickly implement these basic Google Authenticator features, this library should be a great fit for you.

Installation

Install via Composer:

composer require hejunjie/google-authenticator

Usage Instructions

1. Generate a key for the user

Generate a secret for the user, which will be required during verification, so it needs to be saved for the user.

use Hejunjie\GoogleAuthenticator\GoogleAuthenticator;

$secret = GoogleAuthenticator::generateSecret();

// Output secret (var_dump)
// string(26) "3PVPN3ASEIM457VR5VNUONDQB4"

2. Generate a QR code from the key

Used for Google Authenticator QR code scanning

use Hejunjie\GoogleAuthenticator\GoogleAuthenticator;

$issuer = 'issuer'; // The displayed name in Google Authenticator is 「issuer: label」
$label = 'label'; // The displayed name in Google Authenticator is 「issuer: label」
$secret = "User's Secret"; // You can use a manually set key or a key generated by GoogleAuthenticator::generateSecret()
$path = '/www/wwwroot/xxxxx.png'; // QR code file storage path (with name)
$width = 300; // [Optional] QR code image width, default is 300
$logo = '/www/wwwroot/xxxxx.png'; // [Optional] Logo file path (if no logo is needed, provide an empty string), default is an empty string
$logo_width = 50; // [Optional] QR code image width (if no logo, this is invalid), default is 50

$getQRCodeFile = GoogleAuthenticator::getQRCodeFile($issuer, $label, $secret, $path, $width, $logo, $logo_width);

// Output Image Path (var_dump)
// string(67) "/www/wwwroot/xxxxx.png"

3. Verify if it's valid

use Hejunjie\GoogleAuthenticator\GoogleAuthenticator;

$secret = "User's Secret";
$code = "Code Entered by the User";

$checkCode = GoogleAuthenticator::checkCode($secret, $code);

// Output Result
// bool(false)

🔧 Additional Toolkits (Can be used independently or installed together)

This project was originally extracted from hejunjie/tools. To install all features in one go, feel free to use the all-in-one package:

composer require hejunjie/tools

Alternatively, feel free to install only the modules you need：

hejunjie/utils - A lightweight and practical PHP utility library that offers a collection of commonly used helper functions for files, strings, arrays, and HTTP requests—designed to streamline development and support everyday PHP projects.

hejunjie/cache - A layered caching system built with the decorator pattern. Supports combining memory, file, local, and remote caches to improve hit rates and simplify cache logic.

hejunjie/china-division - Regularly updated dataset of China's administrative divisions with ID-card address parsing. Distributed via Composer and versioned for use in forms, validation, and address-related features

hejunjie/error-log - An error logging component using the Chain of Responsibility pattern. Supports multiple output channels like local files, remote APIs, and console logs—ideal for flexible and scalable logging strategies.

hejunjie/mobile-locator - A mobile number lookup library based on Chinese carrier rules. Identifies carriers and regions, suitable for registration checks, user profiling, and data archiving.

hejunjie/address-parser - An intelligent address parser that extracts name, phone number, ID number, region, and detailed address from unstructured text—perfect for e-commerce, logistics, and CRM systems.

hejunjie/url-signer - A PHP library for generating URLs with encryption and signature protection—useful for secure resource access and tamper-proof links.

hejunjie/google-authenticator - A PHP library for generating and verifying Time-Based One-Time Passwords (TOTP). Compatible with Google Authenticator and similar apps, with features like secret generation, QR code creation, and OTP verification.

hejunjie/simple-rule-engine - A lightweight and flexible PHP rule engine supporting complex conditions and dynamic rule execution—ideal for business logic evaluation and data validation.

👀 All packages follow the principles of being lightweight and practical — designed to save you time and effort. They can be used individually or combined flexibly. Feel free to ⭐ star the project or open an issue anytime!

This library will continue to be updated with more practical features. Suggestions and feedback are always welcome — I’ll prioritize new functionality based on community input to help improve development efficiency together.