Is the secret key inside the otpauth URL?

Yes. The URL usually includes the TOTP secret plus supporting metadata like issuer, period, digits, and algorithm.

Can I paste an otpauth URL directly into Swift2FA?

That is the idea. A compatible generator can parse the URL and preserve the TOTP settings instead of asking you to copy fields one by one.

What Is an otpauth URL? Format, Fields, and How It Powers QR-Based 2FA Setup

The short answer

An `otpauth://` URL is a standardized way to describe an authenticator account setup. Instead of showing the raw secret and settings to the user, services usually encode that URL inside a QR code.

When an authenticator app scans the QR code, it reads the URL, extracts the secret key, issuer, label, and TOTP settings, then stores that account locally.

What fields it usually contains

A typical `otpauth://totp/...` URL contains a `secret` parameter plus metadata like `issuer`, `digits`, `period`, and `algorithm`. The label often identifies the service or account email.

Most consumer services still use the defaults of SHA1, 6 digits, and a 30-second period, but the URL can encode non-default values too.

Why it matters for compatibility

If a tool only reads the secret but ignores the rest of the URL, it can generate the wrong code for services using custom settings. That is why a good decoder preserves the whole TOTP configuration, not just the Base32 key.

This is also why QR decoding can be safer than manual typing: fewer transcription errors, and a better chance of keeping the full setup intact.

How to use it in practice

If you have an `otpauth://` URL, you can usually paste it directly into a compatible generator or authenticator app. If you only have the QR image, decode the QR locally to reveal the URL and inspect its fields.

That makes the URL a useful debugging tool when codes do not match or when you want to migrate an account between authenticator apps.