diff --git a/library.c b/library.c
index c7d76437..d3964fd4 100644
--- a/library.c
+++ b/library.c
@@ -639,6 +639,7 @@ static int set_hotp_mode(struct openconnect_info *vpninfo,
 	}
 
 	if (strncasecmp(token_str, "base32:", strlen("base32:")) == 0) {
+		vpninfo->hotp_secret_format = HOTP_SECRET_BASE32;
 		ret = oath_base32_decode(token_str + strlen("base32:"),
 					 toklen - strlen("base32:"),
 					 &vpninfo->oath_secret,
@@ -646,11 +647,13 @@ static int set_hotp_mode(struct openconnect_info *vpninfo,
 		if (ret != OATH_OK)
 			return -EINVAL;
 	} else if (strncmp(token_str, "0x", 2) == 0) {
+		vpninfo->hotp_secret_format = HOTP_SECRET_HEX;
 		vpninfo->oath_secret_len = (toklen - 2) / 2;
 		vpninfo->oath_secret = parse_hex(token_str + 2, toklen - 2);
 		if (!vpninfo->oath_secret)
 			return -EINVAL;
 	} else {
+		vpninfo->hotp_secret_format = HOTP_SECRET_RAW;
 		vpninfo->oath_secret = strdup(token_str);
 		vpninfo->oath_secret_len = toklen;
 	}
diff --git a/openconnect-internal.h b/openconnect-internal.h
index 8881d731..02377c56 100644
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -268,6 +268,12 @@ struct openconnect_info {
 #ifdef HAVE_LIBOATH
 	char *oath_secret;
 	size_t oath_secret_len;
+	enum {
+		HOTP_SECRET_BASE32 = 1,
+		HOTP_SECRET_RAW,
+		HOTP_SECRET_HEX,
+		HOTP_SECRET_PSKC,
+	} hotp_secret_format; /* We need to give it back in the same form */
 #endif
 
 	OPENCONNECT_X509 *peer_cert;