The Mailosaur authenticator is a virtual TOTP (Time-based One-Time Password) generator. It works like Google Authenticator or similar apps, but runs entirely within Mailosaur — no physical phone or app is required.

The authenticator generates standard 6-digit codes on a 30-second time step. It requires a Business plan or above.

Why use the authenticator

The authenticator lets you test MFA (multi-factor authentication) and 2FA (two-factor authentication) flows in your applications. Instead of requiring a tester to manually read a 6-digit code from a phone app, Mailosaur generates the code programmatically.

Two approaches

1. Create a device (long-lived)

Create an authenticator device in the Mailosaur UI, similar to adding an account to Google Authenticator. The device stores the shared secret and generates TOTP codes on demand.

You can set up a device by:

Uploading a QR code image
Entering a key manually (the shared secret)

2. Get a code via the API (one-time)

If you have the shared secret available in your test (for example, from a test setup step), you can call the Mailosaur API directly to get the current 6-digit OTP code. This approach does not require creating a device — you pass the shared secret in the API call and receive the current code.

See Get the current code via API.

Authenticator (TOTP) testing

Why use the authenticator

Two approaches

1. Create a device (long-lived)

2. Get a code via the API (one-time)

Related pages