How to generate otp key for token/init POST method?

Hi all,

I’m new on privacyIDEA and OTP Server. So, I’m trying to create a new token, but I got on error on that:
"error": {"message": "ERR905: Missing parameter: 'otpkey'", "code": 905}}

So, I’d like to know how could I generate an OTP Key to send in the POST method of /token/init

here is my Java Code:

WebClient tokenClient = WebClient.create("");
// [...]
Base32 b32 = new Base32();
Hex h = new Hex();

byte[] secretBytes = b32.decode(<what should I put here??>);
String hexSecret = new String(h.encode(secretBytes));

JSONObject tokeninit = new JSONObject();
tokeninit.put("otpkey", hexSecret);
tokeninit.put("type", "HOTP");
tokeninit.put("pin", "1234");
tokeninit.put("user", "vagrant");
tokeninit.put("realm", "defrealm");

tokenClient.header("Authorization", token);
response =;
// [...]

Please help me to understand how to generate that and how otpkey works!

Best regards,

Celso Agra

Hello Celso,

starting with the API? Taking the steep curve?

Read this, this and this

otpkey depends on the token type you are enrolling.
In certain cases it makes sense to use genkey.

Also do not foget the PI-Authorization header.

Kind regards

I do not speak java, but it looks like you are not passing your parameters to the POST call.

Thanks @cornelinux!

I’m testing some features about OTP Server… the idea is consume part of REST API, such as create user, authenticate, create a token, validate it, …

It seems I just need the otpkey, when I looked in the token-init method. but I think there is more to params to do a request.

I’m using junit (java) and considering pass a JSON like this:
“otpkey” : “hexSecret”,
“type” : “HOTP”,
“pin” : “1234”,
“user” : “vagrant",
“realm” : “defrealm”

Also, I’m passing the Authorization header (I got token using /auth method)

should I need more params for token/init?

Also, I could notice that when I try to enroll a token, the same error happena:

But, If I check “generate OTP Key on the Server”, everything works fine
I’m using the version 2.19.1

You are right - would you mind opening an issue at github (if you have a github account)

I can not reproduce getting an error when providing these parameters:

However, I can reproduce an error from within the UI, since the error arises from when the request contains a parameter genkey=0 or genkey=false.


Thanks @cornelinux

Here is the issue on github

moreover, here is the whole java code:
public void testPrivacyIdea() {
WebClient client = WebClient.create(“”);

    JSONObject jsonObject = new JSONObject();
    jsonObject.put("username", "admin");
    jsonObject.put("password", "admin");
    Response response =;

    String responseObject = response.readEntity(String.class);
    JSONObject object = new JSONObject(responseObject);
    JSONObject value = (JSONObject) ((JSONObject) object.get("result")).get("value");
    String token = value.get("token").toString();


    WebClient tokenClient = WebClient.create("");
    disabledCN(tokenClient); // avoid the ssl problems

    JSONObject tokeninit = new JSONObject();
    tokeninit.put("otpkey", "d6f66965821434f2027e0ea4f597890f7d5c8067");
    tokeninit.put("genkey", 0);
    tokeninit.put("serial", "NEW001");
    tokeninit.put("description", "unit test");
    tokeninit.put("type", "HOTP");
    tokeninit.put("otplen", 6);
    tokeninit.put("hashlib", "sha1");
    tokeninit.put("keysize", 20);
    tokeninit.put("pin", "1234");
    tokeninit.put("user", "vagrant");
    tokeninit.put("realm", "defrealm");

    tokenClient.header("Authorization", token);
    response =;

    responseObject = response.readEntity(String.class);

I’m using junit to do this tests, and my resul is:
{“jsonrpc”: “2.0”, “signature”: “17888367902524921686356549237956269687957184806742938861125116236994889089378982028605413202969214134566646994158950292353311398338[…]22601218074269702982791095780649691151303871270510567656002953423982025186225313605147”, “detail”: null, “version”: “privacyIDEA 2.19.1”, “result”: {“status”: false, “error”: {“message”: “ERR905: Missing parameter: ‘otpkey’”, “code”: 905}}, “time”: 1506595308.442671, “id”: 1}

I reduce token and signature a litle bit!

It will be fixed by issue #793

Thanks again @cornelinux