extract_otp_secrets
Extract_otp_secrets is a Python tool that extracts OTP (one-time password) secrets from QR codes exported by 2FA apps like Google Authenticator. It supports multiple input methods (camera, image files, text files) and exports to JSON, CSV, or console QR codes. The tool is available as a Python script, Docker container, or standalone executable.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | scito/extract_otp_secrets |
| Owner | scito |
| Primary language | Python |
| License | GPL-3.0 — OSI-approved |
| Stars | 1.6k |
| Forks | 157 |
| Open issues | 10 |
| Latest release | v2.13.0 (2026-03-08) |
| Last updated | 2026-06-22 |
| Source | https://github.com/scito/extract_otp_secrets |
What extract_otp_secrets is
GPL-3.0 Python application using protobuf for OTP protocol parsing and QR code libraries for decoding/encoding. Supports Python 3.10–3.14, runs on Linux/macOS/Windows, and includes 83% test coverage. Decodes otpauth:// URIs from QR data and handles TOTP/HOTP secret extraction and re-export.
Get the extract_otp_secrets source
Clone the repository and explore it locally.
git clone https://github.com/scito/extract_otp_secrets.gitcd extract_otp_secrets# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- GPL-3.0 license requires source disclosure if distributed as part of a proprietary application; consider compliance implications before integration.
- Extracted secrets are stored in plaintext (JSON/CSV) on-disk; implement filesystem encryption and access controls for sensitive environments.
- Camera capture requires system permissions and may not work in headless or restricted environments; text/image file input is more reliable in such contexts.
- Python 3.10+ is required; older environments may need prior version pinning or alternative tooling.
- Executable startup has ~30–60 second delay (PyInstaller unpacking); consider pre-staging or direct Python script execution for performance-critical workflows.
When to avoid it — and what to weigh
- Real-time 2FA Code Generation — This tool only extracts secrets; it does not generate time-based codes. Use a dedicated authenticator app (Google Authenticator, Authy) for generating TOTP codes.
- GUI-only or Non-Technical Users — While executables are provided, setup on macOS requires terminal commands and manual quarantine removal. Less accessible for users without CLI familiarity.
- High-Volume Production Secret Management — Not designed as an identity management or provisioning platform. For enterprise-scale TOTP/HOTP deployment, use dedicated identity platforms (Okta, Auth0).
- Proprietary 2FA Format Support — Handles only standard otpauth:// URIs and Google Authenticator exports. Closed-source or non-standard 2FA apps may not be compatible.
License & commercial use
Licensed under GPL-3.0 (GNU General Public License v3.0). This is a copyleft license requiring any derivative work or integrated distribution to also be GPL-3.0 and provide source code. Purely standalone use or internal-only deployment has no restriction.
GPL-3.0 permits commercial use, but with copyleft obligations: if you modify and distribute the tool (or software incorporating it), you must release modifications under GPL-3.0 and provide source code. Standalone use (e.g., extracting secrets for your own 2FA management) requires no compliance action. Requires legal review if embedding or modifying for commercial products.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
Tool handles plaintext OTP secrets; output files (JSON/CSV) contain unencrypted keys and must be protected by filesystem permissions and encryption at rest. No built-in encryption of exported secrets. Camera capture and QR decoding are handled by upstream libraries (security posture of those libraries not evaluated here). Input validation for QR data uses protobuf parsing; malformed input could cause parsing errors (require manual review of input sanitization). Executable distribution via PyInstaller has known false-positive antivirus alerts; consider code review or direct Python script use if security scanning is required.
Alternatives to consider
Authy (Twilio) Export
Authy provides native encrypted backup and export of secrets; no third-party extraction needed if migrating within Twilio ecosystem.
Password Manager Native Support (Bitwarden, 1Password, KeePass plugins)
Many password managers have built-in TOTP entry or plugins; reduces need for separate extraction tool if secrets are already in-manager.
Identity Platforms (Okta, Auth0, Microsoft Entra ID)
For enterprise 2FA provisioning and audit, use dedicated IDaaS platforms with native TOTP/HOTP support and compliance reporting.
Build on extract_otp_secrets with DEV.co software developers
Our team can assist with GPL compliance review, secure secret management workflows, and enterprise 2FA deployment strategies. Contact us for a consultation.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
extract_otp_secrets FAQ
Can I use this tool to recover lost 2FA codes?
Is the extracted JSON/CSV secure?
Does this work with Microsoft Authenticator or Authy?
Can I use this in a commercial product?
Software developers & web developers for hire
Adopting extract_otp_secrets is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.
Need Help Integrating OTP Secret Extraction?
Our team can assist with GPL compliance review, secure secret management workflows, and enterprise 2FA deployment strategies. Contact us for a consultation.