What is TOTP?

TOTP (Time-based One-Time Password) is a widely used algorithm for generating temporary authentication codes that change every 30 or 60 seconds. Defined in RFC 6238, TOTP is the standard behind popular authenticator apps like Google Authenticator, Authy, and Microsoft Authenticator.

How it works: TOTP combines a shared secret key with the current time through an HMAC hash function to produce a short numeric code (typically 6 or 8 digits). Because both the server and client share the same secret and use the same time reference, they independently generate matching codes without any network communication.

Common Use Cases

Two-Factor Authentication (2FA)

Add an extra security layer beyond passwords for login systems

Multi-Factor Authentication (MFA)

Combine with biometrics or hardware keys for stronger security

Service Account Protection

Secure API keys, admin panels, and cloud service accounts

Development & Testing

Verify TOTP implementations during app development

How TOTP Works

The algorithm takes a Base32-encoded secret key and the current Unix timestamp, divides the time by the period (e.g., 30 seconds) to get a counter value, then applies HMAC with the chosen hash algorithm (SHA-1, SHA-256, or SHA-512). The result is dynamically truncated to produce the final numeric code.

TOTP Formula

TOTP = Truncate(HMAC-SHA(secret, floor(time / period)))

How to Use the TOTP Generator

Generate Codes from a Secret Key

Enter Secret Key

Enter your Base32 secret key in the input field (e.g., JBSWY3DPEHPK3PXP)

Auto-Generate Code

The TOTP code will be generated automatically with a countdown timer

Adjust Settings

Configure Algorithm (SHA-1, SHA-256, SHA-512), Digits (6 or 8), and Period (30s or 60s) as needed

Copy Code

Click the copy button to copy the current code to your clipboard

Import from an otpauth:// URL

Paste URL

Paste an otpauth://totp/... URL directly into the input field

Auto-Parse

The tool will automatically parse the issuer, account name, secret, and all settings

Settings Update

Settings controls will update to match the URL parameters

Import from a QR Code Image

Upload QR

Click the Upload QR button (upload icon) in the header

Select Image

Select an image file containing a TOTP QR code

Auto-Decode

The QR code will be decoded and the otpauth:// URL will be parsed automatically

Save and Manage Accounts

After entering a secret, click the Save button to store the account
You will be prompted to enter a name for the account
Click on any saved account to load its secret and settings
Use the pen icon or double-click the account name to rename it
Use the X button to delete an account from the saved list

Export as QR Code

Load Secret

Enter or load a secret key

Show QR

Click the Show QR button (QR icon)

Scan & Transfer

Scan with any authenticator app

Features

Multiple Hash Algorithms

Generate TOTP codes with three HMAC algorithms:

SHA-1 — Default, most compatible
SHA-256 — Enhanced security
SHA-512 — Maximum security

Configurable Code Settings

Customize code generation parameters:

6-digit or 8-digit codes
30-second or 60-second periods
Auto-adjust from otpauth:// URLs

Real-Time Countdown Timer

Visual progress bar with smart color indicators:

Yellow at 33% remaining
Red at 5 seconds
Next code preview displayed

QR Code Support

Full QR code integration:

Import by uploading QR images
Generate QR codes from secrets
Transfer to mobile authenticator apps

Multi-Account Management

Save and organize multiple accounts:

Store unlimited accounts locally
Quick-load saved configurations
Rename and delete accounts easily

otpauth:// URL Parsing

Automatic URL parameter extraction:

Parse secret and issuer info
Extract algorithm and settings
Standard authenticator format

Your Data Stays Private: All TOTP generation happens in your browser using the Web Crypto API. Secret keys are never sent to any server, we don't collect or log your authentication data, and saved accounts are stored only in your browser's localStorage.

Frequently Asked Questions

What is the difference between TOTP and HOTP?

TOTP (Time-based) uses the current time to generate codes that change every 30 or 60 seconds. HOTP (HMAC-based) uses a counter that increments with each use.

TOTP is more widely adopted because codes expire automatically, reducing the risk of replay attacks. This tool supports TOTP only.

Which algorithm should I use?

SHA-1 is the default and most widely supported algorithm — use it unless the service you're setting up specifically requires SHA-256 or SHA-512.

Most authenticator services (Google, GitHub, AWS) use SHA-1 with 6 digits and a 30-second period.

Why does my code not match the expected value?

TOTP codes depend on accurate system time. If your device clock is off by more than a few seconds, the generated codes may not match.

Check that your system time is synchronized
Verify algorithm, digit count, and period settings match the service
Ensure the secret key is entered correctly

Is it safe to enter my secret key here?

Yes. All computation happens entirely in your browser using the Web Crypto API. Your secret key is never transmitted to any server.

Saved accounts are stored only in your browser's localStorage and are accessible only from this device.

Can I use this instead of Google Authenticator?

This tool generates the same TOTP codes as Google Authenticator and other authenticator apps. You can use it for development, testing, or as a backup code generator.

Recommendation: For daily 2FA use, a dedicated mobile authenticator app is recommended as it's always accessible on your phone.