Using 2FA in Front-End and API Scans

If your application login requires a TOTP code, Aikido can log in during scans as long as you provide the otpauth URL for that 2FA token.

This allows Aikido to generate the same 6 digit codes your authenticator app would.

What is an otpauth URL

An otpauth URL contains the TOTP secret and configuration needed to produce time based codes.

It looks like this:

otpauth://totp/MyApp:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=MyApp

How to get your otpauth URL

You can get the URL in one of these ways:

1. From the 2FA setup screen

Look for:

• Show secret

• Manual setup

• Enter key instead

Some providers show the otpauth URL directly. Others show only the Base32 secret.

If you only have the Base32 secret, you can build the URL yourself:

2. By scanning the QR code

If the setup shows a QR code:

• Use any QR reader that reveals the text content

• The scanned result will be the full otpauth URL

3. From your IdP or admin panel

Some IdPs expose the TOTP seed for service accounts.

Look for fields like:

• OTP URI

• TOTP configuration

• MFA seed

If your login uses SMS, push notifications, or hardware keys, you will not get an otpauth URL. Those are currently not supported by Aikido.