Skip to content
Kaito
Shared TOTP vault

Shared TOTP, the way it should have been built.

Encrypted seeds. Server-side codes. Per-token permissions. Your team gets the 6-digit code without ever touching the secret.

Start free trialRead the security details
How it works

The seed never leaves the server.

  1. 01
    Add the seed once.

    Paste the secret or scan the QR. We encrypt it with AES-256-GCM using a per-seed data key, wrapped by an org master key, wrapped by a platform key. The seed is never written to disk in plaintext.

  2. 02
    Generate codes server-side.

    When a teammate requests the current code, our server decrypts the seed in memory, computes the TOTP, and returns just the 6 digits. The browser never sees the seed.

  3. 03
    Permission per token.

    Choose who can see the code, who can see the full seed (rare, mostly for emergency rotation), and who can't see it at all.

  4. 04
    Audit every view.

    Every code generation is logged with user, IP, user-agent, and timestamp. Exportable to CSV, JSON, or your SIEM.

Vault · token detail Live
AWS · root583 021 Live
Period
30 sec
Digits
6
Algorithm
SHA-1
Permission
code only
Granted to
engineering-prod · code onlyincident-response · full seed
Capabilities

Everything we ship in TOTP.

Code & seed handling
  • AES-256-GCM at rest, master key in env / KMS only
  • Server-side TOTP generation; seeds never sent to client
  • Live countdown ring synced to the seed period
  • One-tap copy with auto-clearing clipboard
Organization
  • Folders and projects for visual organization
  • Tags and instant search
  • 1,200+ branded icons auto-resolved
  • Custom icons via S3 upload for internal services
Permissions
  • Group-based access; users can be in multiple groups
  • Per-token: code only, or full seed (admin-tier)
  • Time-bound access for contractors
  • MFA step-up for sensitive seed views
Lifecycle
  • Rotate without losing history; old seed retained 30 days
  • Soft-delete with 14-day restore window
  • Bulk import from Authy, 1Password, Google Authenticator
Anti-patterns we refuse to ship

The seed never syncs to your browser.

Other tools sync seeds to clients so codes keep working when their server is down. We think that tradeoff is wrong: every device with a synced seed is a device that can leak it.

Offline access for flights / unreliable connectivity is on the mobile app roadmap (planned for the Q3 2026 alpha). The design: an encrypted, biometrically-locked seed cache scoped to only the tokens you're allowed to see, with revocation enforced on next online check. Today, codes are fetched live from the web dashboard or API.

Use it from anywhere

Web today. API for everything else. Mobile next.

The web dashboard handles setup and day-to-day use. The REST API is the integration surface for CI, CLI scripts, and bots. Native mobile apps are on the roadmap (Q3 2026 alpha).

bash
$ curl https://api.kaito.io/v1/tokens/aws-prod/code \
    -H "Authorization: Bearer kto_live_••••••••"

# → { "code": "583021", "expires_in": 14 }

Ready to take the screenshots out of Slack?

Start free trialRead the API docs →