ESC

TOTP Generator

Base32 encoded secret key (A-Z, 2-7). Minimum 16 characters.
Enter a secret key to generate the OTPAuth URI

Configuration

Algorithm
SHA-1
Period
30s
Digits
6
Current Counter
-
All TOTP generation happens locally in your browser. No secrets or codes are sent to any server.

Usage Examples

Standard TOTP

Generate a standard 6-digit TOTP code using a common Base32 secret key with SHA-1 algorithm.

Long Secret Key

Test TOTP generation with a longer 32-character Base32 secret for enhanced security.

RFC Test Vector

Use the RFC 6238 test vector secret to verify the TOTP implementation correctness.

Features

Time-Based Codes

Generates standard TOTP codes that automatically refresh every 30, 60, or 90 seconds

Multiple Algorithms

Supports SHA-1, SHA-256, and SHA-512 HMAC algorithms for code generation

Code Verification

Verify TOTP codes instantly to test your two-factor authentication setup

Fully Client-Side

All cryptographic operations happen in your browser using Web Crypto API, nothing is sent to servers

How to Use?

1

Enter or Generate Secret

Enter your Base32 secret key or click "Generate Secret" to create a random one.

2

View TOTP Code

The current TOTP code is displayed with a countdown timer showing remaining validity.

3

Copy or Verify

Copy the code to your clipboard or use the verify field to check if a code matches.

Frequently Asked Questions

TOTP (Time-based One-Time Password) is an algorithm defined in RFC 6238. It combines a shared secret key with the current Unix timestamp to generate a short code (usually 6 digits) that changes every 30 seconds. When you log in with 2FA, both your device and the server independently compute the same code from the same secret — if they match, authentication succeeds. The code is only valid for one 30-second window.

Yes. Everything runs locally via the browser's Web Crypto API — your secret key never leaves your browser. This tool is intended for testing and development (e.g., verifying your 2FA implementation) rather than as a daily authenticator. Do not enter the secret for a live production account in any web tool; use Google Authenticator, Authy, or a hardware key for those.

The most common causes: (1) Time skew — your device clock is off. TOTP is time-sensitive to within ±30 seconds. Sync your device time. (2) Wrong algorithm — most services use SHA-1, but some use SHA-256 or SHA-512. (3) Wrong period — most use 30 seconds; some use 60 seconds. (4) Wrong digit count — usually 6, but some services use 8. All four settings must match the server exactly.

Base32 uses 32 characters: A–Z and the digits 2–7. It is the standard encoding for TOTP secrets because it is case-insensitive (no upper/lower confusion), avoids visually ambiguous characters like 0/O and 1/I/l, and is easy to type manually or read aloud. Most authenticator apps accept Base32 secrets directly or scan them from QR codes.

This tool is for testing and development — it does not generate QR codes for importing into authenticator apps. If you want to test the full 2FA flow, scan the QR code provided by the service you are testing, then compare its output with what this tool generates using the same secret.

The tool supports SHA-1 (the RFC 6238 default and the most widely used), SHA-256, and SHA-512. Almost all services (Google, GitHub, Microsoft, etc.) use SHA-1 with 6 digits and a 30-second period. Use the other algorithms only if the service you are testing explicitly requires them.

Yes, this is the primary use case. Generate a random Base32 secret, configure your server-side TOTP library with the same secret and settings, then compare the code this tool generates with the code your server produces. If they match at the same moment, your implementation is correct.

No. The TOTP computation uses the browser's built-in Web Crypto API and runs entirely locally. Your secret key is never transmitted, stored, or logged anywhere. You can verify this with browser developer tools: there are no network requests when generating codes.

What is TOTP Generator?

Setting up 2FA for your app and need to test TOTP codes? This tool generates RFC 6238 compliant time-based one-time passwords right in your browser. Enter a Base32 secret (or generate one), and watch the 6-digit code tick down in real time. Supports SHA-1, SHA-256, and SHA-512. No server involved, everything is computed locally via Web Crypto API.

Why Developers Use This Tool

When you are building 2FA, you need a way to verify your implementation without pulling out your phone every time. Enter the same secret here, confirm the codes match, and move on. You can also generate random secrets, grab the OTPAuth URI for QR code generation, and verify codes against the current window. All client-side, so your secrets stay private.

Security and Privacy

Your data security is our priority

Local Processing

All processing happens in your browser

No Data Transfer

Your data is not sent to our servers

No Data Storage

No data is stored or shared

SSL Encryption

SSL encryption for secure connection

Next Step

Also on MoreOnlineTools