The following snippet returns the 6-digit code:
package require base32
ns_totp -digest sha1 -digits 6 -key [base32::decode $secret]
The secret provided via the otpauth URL (typically the content of the QR code) is usually encoded in base32, for which we have no native decoder in NaviServer. I have just now tested this with a fresh security token and compared with the authenticator app, the values are identical.
