Is it possible to detect the timestep length of a TOTP token/passcode (e.g. 30 seconds vs 60 seconds) when validating that token against the secret key? In other words, is the step time is programmed into the token?
I'm trying to validate TOTP token using speakeasy but my tokens have 60 second time steps vs the default 30 second time steps that the validator expects. So the tokens don't validate unless I specify that the time step is 60 seconds. When turning this into a REST API would I need to require the timestep of the token in question as part of the request?
The token doesn't have the time step programmed into it, no. If you are going to create tokens that have 60 second time steps, then your validation service should always 60 second time steps too.