---
title: digest.time_hmac_sha1
summary: null
url: >-
  https://www.fastly.com/documentation/reference/vcl/functions/cryptographic/digest-time-hmac-sha1
---

```
STRING digest.time_hmac_sha1(STRING key, INTEGER interval, INTEGER offset)
```

**Available in:** all subroutines

Returns a time-based, one-time password.
The password is a SHA-1 hash based upon the current time.
The `key` parameter is a Base64-encoded key.
The `interval` parameter specifies the lifetime of the token in seconds
and must be non-negative.
The `offset` parameter, also in seconds, provides a means for mitigating clock skew.

Base64 decoding behaves as if by a call to
`digest.base64_decode()`.
See that function for handling invalid characters and the behavior of padding.
Unlike `digest.base64_decode()`, the decoded output is used directly
(rather than constructing a VCL STRING type), and so binary content
is permitted, including possible _NUL_ bytes.

## Example

```vcl
set req.http.X-OTP-CurBucket = digest.time_hmac_sha1(
  digest.base64("secret"), 60, 0);
set req.http.X-OTP-PrevBucket = digest.time_hmac_sha1(
  digest.base64("secret"), 60, -1);
set req.http.X-OTP-NextBucket = digest.time_hmac_sha1(
  digest.base64("secret"), 60, 1);
```