Copy Key button on otp/time-based/set copies full otpauth URI instead of the secret
On the
otp/time-based/set screen during 2FA setup, clicking the copy action copies the entire otpauth://… URI rather than just the TOTP secret. Is this intentional or a bug?
7 Replies
Hi @gloammer, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
I wasn't able to find a direct answer, here are some relevant sources:
1. Add One-Time Password (OTP) :
Shows that the API response includes both the full otpauth URI and the secret separately, but does not specify UI behavior for the copy action. 2. Start the registration of a TOTP generator for a user :
Also documents both the otpauth URI and the secret in the API response, but does not clarify what the copy button should copy in the interface. Feel free to tag @Ask Inkeep with additional questions. Got it. Tagging @Rajat for additional help.
Shows that the API response includes both the full otpauth URI and the secret separately, but does not specify UI behavior for the copy action. 2. Start the registration of a TOTP generator for a user :
Also documents both the otpauth URI and the secret in the API response, but does not clarify what the copy button should copy in the interface. Feel free to tag @Ask Inkeep with additional questions. Got it. Tagging @Rajat for additional help.
I think this is a bug — it seems more appropriate to copy only the secret code
@Rajat , do we actually need to display the URI link? I can open a PR that shows the secret code instead and fixes the copy action accordingly
ok I looked more, it may be useful if you are building your own UI
so when you are using API to start a otp flow, I think it matters
Yes, but it doesn’t seem useful to show the URI in the UI as-is. The QR code already comes from that URL, while displaying (and allowing users to copy) only the secret code makes sense
yes, not for the UI, but for the API, pls go ahead and open an issue. 🙂