TOTP Generator

Generator

Generate live TOTP / 2FA codes from any Base32 secret or otpauth:// URI. See the countdown, copy the code, compatible with Google Authenticator. Runs entirely in your browser.

Secret Key
Current Code
Enter a Base32 secret above to generate a live TOTP code
What is TOTP?

TOTP (Time-based One-Time Password) is the algorithm behind every 2FA app you've ever used. Defined in RFC 6238, it combines a shared secret key with the current Unix timestamp to produce a short numeric code that changes every 30 seconds. Both your device and the server independently compute the same code — no network communication required during verification.

The secret is encoded in Base32 (Google Authenticator format). When you scan a QR code with your authenticator app, that QR code contains an otpauth:// URI that carries the secret, the issuer name, and the algorithm parameters. This generator computes the same TOTP code your authenticator app would show — useful for testing 2FA flows in development, verifying a secret is correct, or recovering a code when your phone is unavailable.

How TOTP works (RFC 6238)
  1. Compute T = floor(current Unix time / period) — a counter that changes every 30 seconds
  2. Encode T as an 8-byte big-endian integer
  3. Compute HMAC-SHA1 (or SHA-256 / SHA-512) of T using the shared secret as the key
  4. Dynamic truncation: use the last 4 bits of the HMAC output as an offset, take 4 bytes from that offset, mask the top bit
  5. Code = (truncated value mod 10^digits), zero-padded to the required length
Compatibility
AppAlgorithmDigitsPeriod
Google AuthenticatorSHA-1630s
AuthySHA-16 / 730s
Microsoft AuthenticatorSHA-1630s
1PasswordSHA-1630s
Steam GuardSHA-1530s

About this tool

About the TOTP Generator

TOTP (Time-based One-Time Password) is the standard algorithm (RFC 6238) behind every major 2FA app — Google Authenticator, Authy, Microsoft Authenticator, 1Password, and hundreds more. It combines a shared Base32-encoded secret with the current Unix timestamp to produce a 6-digit code that changes every 30 seconds. Both the server and the client independently compute the same code without any network round-trip, making it both offline-capable and resistant to replay attacks.

This generator accepts a raw Base32 secret or a full otpauth:// URI (the format embedded in QR codes). It live-computes the current TOTP code using the Web Crypto API (HMAC-SHA1, SHA-256, or SHA-512), displays a countdown ring so you can see exactly when the code refreshes, and lets you configure digits (6 or 8) and period (30s, 60s, or custom). The code updates automatically every second — no manual refresh needed.

The primary use case is testing 2FA flows during development: paste your test account's secret, see the live code, and submit it without needing to reach for your phone. It's also useful for verifying that a Base32 secret you extracted from a QR code is correct, for recovering a code when you've lost access to your authenticator app but still have the secret key, and for exploring how the TOTP algorithm works interactively.

Everything runs in your browser — the secret key never leaves your device, no network requests are made during code generation, and the page works completely offline once loaded. The Web Crypto API provides the HMAC implementation, so you get cryptographic-quality output identical to what native authenticator apps produce.

Key Features

  • Live code that refreshes every second with accurate countdown
  • Accepts Base32 secret or full otpauth:// URI
  • Auto-parses algorithm, digits, and period from URI
  • SHA-1, SHA-256, and SHA-512 HMAC support
  • 6-digit and 8-digit code modes
  • 30s, 60s, and custom period support
  • Countdown ring with colour shift as code expires
  • One-click copy
  • 100% browser-based — secret never leaves your device

FAQ

TOTP Generator — Frequently Asked Questions

Is it safe to enter my real 2FA secret here?

The secret is processed entirely in your browser using the Web Crypto API. No data is sent to any server — you can verify this by disconnecting from the internet before entering the secret and confirming the codes still generate correctly. That said, for production accounts you care deeply about, consider using this tool only with test secrets or accounts where losing access would not be catastrophic.

What is a TOTP secret and where do I find it?

The TOTP secret is a Base32-encoded string (letters A–Z and digits 2–7) that was shared between you and the service when you first set up 2FA. It's typically shown as a QR code — but most services also show it as a plain text key labeled 'secret', 'setup key', or 'manual entry code'. Save this key when you first enable 2FA; it's the only way to recover your codes without a backup method.

Why is my code different from what my authenticator app shows?

The most common cause is clock skew — TOTP codes are time-based, so if your device's clock is off by more than ~15 seconds, the code will be wrong. Make sure your system clock is synchronised to NTP. The second most common cause is a wrong algorithm or digit count: most sites use SHA-1 with 6 digits and a 30-second period — try those defaults before changing options. If you pasted an otpauth:// URI, the generator automatically reads the algorithm and digit count from it.

What is an otpauth:// URI?

An otpauth:// URI is the format embedded in QR codes by 2FA setup pages. It looks like: otpauth://totp/Example:[email protected]?secret=BASE32SECRET&issuer=Example&algorithm=SHA1&digits=6&period=30. The URI encodes everything the authenticator needs: the secret key, the algorithm (SHA-1/SHA-256/SHA-512), the code length, and the refresh period. Paste a full URI into this generator and all options are set automatically.

What's the difference between TOTP and HOTP?

TOTP (Time-based OTP, RFC 6238) derives the counter from the current Unix timestamp divided by the period, so codes change automatically every 30 seconds. HOTP (HMAC-based OTP, RFC 4226) uses an explicit counter that increments each time a code is requested — the server and client must stay in sync, which makes HOTP harder to use correctly. Almost every modern 2FA app uses TOTP.

Can I use TOTP codes generated here to actually log in?

Yes — the codes this generator produces are mathematically identical to what Google Authenticator or Authy would show for the same secret. If you enter a valid secret for a service that uses standard RFC 6238 TOTP, the generated code will work during its 30-second window.

Tips

  • Most services use SHA-1, 6 digits, 30s period — these are the defaults; only change them if the URI specifies otherwise
  • Paste an otpauth:// URI directly into the URI tab and the generator reads the algorithm, digits, and period automatically
  • The countdown ring turns yellow at 40% remaining and red at 20% — copy the code before it turns red to avoid it expiring mid-login
  • Disconnecting from the internet before entering your secret confirms nothing is being sent to a server