Dorod-Sky/docs/running-tasks/totp-verification-code.mdx

---
title: Time-based One-time Passowrd
description: 'How Skyvern gets the one time password from you?'
---

Skyvern supports one-time password by fetching it from your endpoint. You can pass `totp_verification_url` when creating a task. Inside this endpoint hosted by you, you have to conform to the following schema:

## Set Up Your Time-based One-time Password (TOTP) Endpoint
For websites that requires a verification code (see https://www.twilio.com/docs/glossary/totp for more information) to complete a task, you have to set up a TOTP endpoint for Skyvern to fetch the verification code.

Here's the TOTP endpoint contract you should use:

Request (POST):
| Parameter | Type | Required? | Sample Value | Description |
| --- | --- | --- | --- | --- |
| task_id | String | yes | tsk_123 | The task ID that needs the verification to be done |

Response:
| Parameter | Type | Required? | Sample Value | Description |
| task_id | String | yes | tsk_123 | The task ID that needs the verification to be done |
| verification_code | String | no | 123456 | The verification code |

## Validate The Sender of The Request
Same as the webhook API, your server needs to make sure it’s Skyvern that’s making the request.

- a python example for how to generate and validate the signature:

```python
def validate_skyvern_request_headers(request: Request) -> bool:
		header_skyvern_signature = request.headers["x-skyvern-signature"]
		payload = request.body() # this is a bytes
		hash_obj = hmac.new(SKYVERN_API_KEY.encode("utf-8"), msg=payload, digestmod=hashlib.sha256)
    client_generated_signature = hash_obj.hexdigest()
		return header_skyvern_signature == client_generated_signature
```

SKYVERN_API_KEY: this is the [api key](/running-tasks/introduction) specific to your organization