Choose a master password and a name for this device. There is no recovery — back up regularly.
This vault hasn't been used in this browser before. Enter the master password to register.
Sync is handled by your transport (cloud folder, Syncthing, Git, QR, or manual export). Rotor merges new device log files automatically on unlock.
Each device that has ever written to this vault appears below. Revoking a device invalidates all its future events.
Cheap: only the wrap-blob in meta changes — no events are re-encrypted.
Export a backup or import TOTPs from another app.
Only the wrap of your vault's master secret changes. No events are re-encrypted. Other devices will need the new password the next time they unlock.
Results live in memory only and are discarded when you close this dialog. Nothing is sent to any external service.
Quick confirmation that you still remember your master password. If you forget it, your vault becomes unrecoverable — this catches it before it's terminal.
Paste otpauth:// URIs, one per line:
Choose a vault stored in this browser.
Show this screen to the receiving device. The sequence loops — the other device can start scanning at any frame.
Rotor is a browser-native TOTP authenticator. One job — rotating 6/8-digit codes (RFC 6238). Your vault is a folder on your disk. Sync is your choice of transport. Nothing leaves the folder except what you explicitly export.
Rotor does one thing. No passwords, no cards, no notes, ever. That is the product thesis. If you want passwords and codes in one place, use Tijori, the sibling app that shares this engine.
TOTP is a second factor. The point of a second factor is to live on a different footing from the first. Combined storage under one master password is convenient, but a breach of that password loses both factors at once. Rotor exists for users who want their second factor to stay strictly separate.
Click Create new vault, pick an empty folder (or name a browser vault on mobile), set a device name and master password.
Click + Add TOTP. Paste an otpauth:// URI to auto-fill everything, or enter the Base32 secret manually with algorithm, digits, and period.
Tap any tile to copy the current code. The ring around each tile counts down to the next rotation. The small number under the code is the next one, so you always know what's coming.
Long-press or right-click a tile to pin. Pinned TOTPs float to the top.
Each device writes only its own log file (rotor-events-<deviceId>.jsonl). Sync is the act of making all devices see all files. Rotor merges them on every unlock — deterministically, regardless of order.
Put the vault folder inside iCloud Drive, Dropbox, Google Drive, etc. Each device running Rotor points at its local copy. The cloud provider syncs files; Rotor merges on unlock.
Point Syncthing at the vault folder across devices. P2P, no cloud vendor.
Commit and push. Each device's log stream is a separate file, so git merge never conflicts on event logs.
On the source device: Settings → Data → Send vault via QR. A sequence of QR codes loops on screen. On the receiving device: Import → QR sequence — point the camera at the screen. All frames are collected automatically; order doesn't matter. Fully offline, no cables.
Use Settings → Data → Export encrypted archive to pack the vault. Import it on another device via Import → Rotor archive.
Open the vault folder from the second browser. Rotor detects the new device, asks for the master password, emits a device_registered event, and merges.
rotor-meta.json — plaintext: KDF params, device roster.rotor-events-<deviceId>.jsonl — one file per device. Append-only, SHA-256 hash-chained.{"seq":1,"prev_hash":"genesis","ts":"…","device_id":"…","event_type":"entry_created","payload_ct":"…","nonce":"…"}
Union all events, sort by (ts, device_id), apply in order. Per-field last-writer-wins — each field carries its own timestamp, so two devices editing different fields of the same entry both win their field.