TOTP Generator for 2FA Codes
This TOTP generator turns a Base32 secret key into the same time-based one-time passwords your authenticator app produces, generating a fresh 2FA code every 30 or 60 seconds. It is built for developers, testers, and anyone who needs a working TOTP code from a secret without reaching for a phone.
TOTP (Time-based One-Time Password, defined in RFC 6238) is the standard behind Google Authenticator, Authy, and Microsoft Authenticator. Paste a secret or an otpauth:// URL, upload an authenticator QR image, and save multiple accounts for one-click code generation.
How to Generate a TOTP Code
Enter the secret key
Type or paste a Base32 secret (for example JBSWY3DPEHPK3PXP) into the Secret Key field. The code generates automatically — spaces, dashes, and = padding are stripped for you.
Or import a URL or QR
Paste a full otpauth://totp/... URL to auto-fill every setting, or click Upload QR Code to decode an authenticator QR image. The issuer, account, algorithm, digits, and period are parsed automatically.
Match the settings
Set Algorithm (SHA-1, SHA-256, or SHA-512), Digits (6 or 8), and Period (30 or 60 seconds) to match the service you are pairing with.
Copy and save
Use Copy code to send the current code to your clipboard before the timer runs out. Click Save to store the account locally and load its codes in one click next time.
Features
Three Hash Algorithms
Generate codes with SHA-1 (the default and most compatible), SHA-256, or SHA-512 to match any service.
Configurable Digits & Period
Switch between 6 or 8 digit codes and a 30 or 60 second period to fit how the service was set up.
Live Countdown Timer
A progress bar tracks the remaining time, turning yellow at 33% left and red in the last 5 seconds.
Next Code Preview
The upcoming code is always shown below the current one, so a code that is about to expire never trips you up.
otpauth:// URL Parsing
Paste a standard otpauth:// URL to pull the secret, issuer, account, algorithm, digits, and period in one step.
QR Import & Export
Decode a TOTP QR image to load a secret, or generate a scannable QR code to move it to a mobile authenticator.
Multi-Account Management
Save several accounts in your browser and click any one to instantly load its secret and generate codes.
Inline Renaming
Rename a saved account with the pen icon or by double-clicking its name — no separate edit screen needed.
Secret Visibility Toggle
Hide or reveal the secret key with one click, plus copy the live code to your clipboard whenever you need it.
Client-Side Only
All generation runs locally with the Web Crypto API. Secrets are never uploaded and saved accounts stay on this device.
Frequently Asked Questions
What is TOTP?
TOTP stands for Time-based One-Time Password. It combines a shared secret key with the current time through an HMAC hash to produce a short code that changes every 30 or 60 seconds. Because the server and your device share the same secret and clock, they generate matching codes independently — no network call needed. It is defined in RFC 6238.
How do I generate a TOTP code from a secret key?
Paste your Base32 secret into the Secret Key field and the code appears immediately. If your settings differ from the defaults, adjust the algorithm, digit count, and period to match the service. You can also paste an otpauth:// URL or upload a QR image to fill everything in automatically.
What is a TOTP secret key and what format should it be in?
The secret key is the shared value a service gives you when you enable 2FA. It should be in Base32 encoding — letters A–Z and digits 2–7. This tool automatically removes spaces and = padding. If you only have a QR code or an otpauth:// link, import that instead and the secret is extracted for you.
How long is a TOTP code valid?
By default each code is valid for 30 seconds, and some services use a 60-second period. The countdown timer shows exactly how much time is left, turning yellow at 33% remaining and red in the final 5 seconds. The next code is previewed below, so you can wait it out instead of racing the clock.
Which algorithm should I choose?
SHA-1 is the default and most widely supported option — most services (Google, GitHub, AWS) use SHA-1 with 6 digits and a 30-second period. Only switch to SHA-256 or SHA-512 if the service you are pairing with specifically requires it. Importing an otpauth:// URL sets the right algorithm for you.
Why doesn't my code match what the service expects?
TOTP depends on accurate time, so if your device clock is off by more than a few seconds the codes will not line up — make sure your system time is synchronized. Also confirm the algorithm, digit count, and period match what the service uses. A mismatch in any of these produces a valid-looking but wrong code.
Is an online TOTP generator safe to use?
Here, all computation happens entirely in your browser with the Web Crypto API — your secret key is never transmitted to any server, and saved accounts are stored only in this browser's local storage. That said, treat any secret like a password: for everyday 2FA a dedicated mobile authenticator is still recommended, since this tool is best for development, testing, or a backup code generator.
What is the difference between TOTP and HOTP?
TOTP is time-based, generating codes that change every 30 or 60 seconds. HOTP is counter-based, with a value that increments on each use. TOTP is more common because its codes expire automatically, which reduces the risk of replay attacks. This tool supports TOTP only.
Are my saved accounts backed up?
Saved accounts live in your browser's local storage. They persist between sessions but are not synced to any cloud, so clearing your browser data removes them. Use Show QR Code to export an important secret as a scannable QR image you can keep as a backup.
No comments yet. Be the first to comment!