Skip to main content

TOTP Generator

0s
Enter a secret to generate TOTP

Configuration

QR Code Provisioning

Security Note

All TOTP calculations happen entirely in your browser using the Web Crypto API. Your secret key never leaves your device. No data is sent to any server. The QR code image is generated via an external service — the URI is sent in the URL. For maximum security, only use real secrets on trusted devices.

Quick Start Guide

Get up and running in 30 seconds

Quick Start Guide

  1. 1

    Enter or Generate a Secret

    Paste your Base32-encoded secret key, or click 'Generate Random Secret' to create a new one for testing.

  2. 2

    View Your TOTP Code

    The current 6-digit TOTP code is displayed along with a countdown timer showing when it expires and a new code is generated.

  3. 3

    Configure Parameters

    Adjust the number of digits (6, 7, or 8), hash algorithm (SHA-1, SHA-256, SHA-512), and time period (15, 30, or 60 seconds).

  4. 4

    Export as QR Code

    Generate a QR code containing the otpauth:// provisioning URI that can be scanned by any authenticator app.

What is TOTP (Time-based One-Time Password)?

Understanding time-based one-time passwords

TOTP is a widely used algorithm for two-factor authentication (2FA). It generates short-lived numeric codes from a shared secret key and the current time, as specified in RFC 6238.

How TOTP Works

  1. Shared Secret: Both the server and client share a secret key (usually Base32-encoded)
  2. Time Counter: The current UNIX timestamp is divided by the time period (usually 30 seconds) to create a counter value
  3. HMAC Calculation: The counter is signed with the secret using HMAC-SHA1 (or SHA-256/SHA-512)
  4. Dynamic Truncation: A 4-byte segment of the HMAC output is extracted and converted to a numeric code
  5. Digit Extraction: The truncated value is reduced to the desired number of digits (typically 6)

Standards & Compatibility

TOTP is defined in RFC 6238 and builds on the HOTP algorithm from RFC 4226. It's supported by virtually all authenticator apps including Google Authenticator, Microsoft Authenticator, Authy, 1Password, and Bitwarden.

This Tool

This TOTP generator implements the algorithm from scratch using the Web Crypto API for HMAC calculations. No external libraries are used. All processing happens in your browser — your secret keys never leave your device.

Common Use Cases

How developers use TOTP

Test 2FA Implementations

Verify your server-side TOTP implementation by comparing generated codes. Enter the same secret and parameters to ensure your backend produces matching codes.

Emergency Code Generation

If you have your TOTP secret backed up, you can generate codes without an authenticator app. Useful when your phone is unavailable.

Onboarding QR Code Generation

Create otpauth:// QR codes for provisioning new users in your application. Generate and display the QR during the 2FA setup flow.

Learn TOTP Internals

Understand how time-based one-time passwords work by experimenting with different algorithms, periods, and digit lengths. See the code update in real-time.

How to Use the TOTP Generator

Master TOTP generation

This tool lets you generate TOTP codes from a Base32 secret key. You can test with a random secret or enter your own.

Entering a Secret

Secrets must be Base32-encoded (characters A-Z and 2-7). Most services provide the secret in this format during 2FA setup. Spaces and lowercase are automatically handled.

Understanding the Countdown

The circular timer shows how much time remains before the current code expires. When the timer reaches zero, a new code is automatically generated. The default period is 30 seconds (the most common setting).

QR Code Provisioning

The QR code encodes an otpauth:// URI in this format: otpauth://totp/LABEL?secret=SECRET&algorithm=SHA1&digits=6&period=30

This is the standard format recognized by all major authenticator apps.

Algorithm Differences

  • SHA-1: Default for most services (Google Authenticator, etc.)
  • SHA-256: More secure, used by some enterprise services
  • SHA-512: Maximum security, less commonly supported

Frequently Asked Questions

Everything you need to know

Frequently Asked Questions

Security & Privacy

Your secrets stay on your device

Your TOTP secrets are extremely sensitive — they're the keys to your two-factor authentication. This tool is designed with security as the top priority.

  • 100% Client-Side: All TOTP calculations use the Web Crypto API in your browser. Zero network requests are made.
  • No Storage: Secrets are held only in React state (memory). Nothing is written to localStorage, cookies, or any persistent storage.
  • No Logging: We never log, track, or transmit secret keys or generated codes.
  • Open Algorithm: The TOTP implementation follows RFC 6238 exactly, using standard Web Crypto HMAC functions.
  • Secure Randomness: Random secret generation uses crypto.getRandomValues() for cryptographically secure random bytes.

Best Practices

  • Only enter real secrets on devices you trust
  • Don't screenshot or share your secret keys
  • Always keep a backup of your secrets in a secure password manager
  • Verify your system clock is accurate (TOTP is time-sensitive)

By the Numbers

Tool metrics

RFC 6238
Algorithm
3
Hash Functions
3
Period Options
100%
Privacy

Related Tools

security
1 / 12
🔒Encrypt🔐Cert Decoder🔑SSH Key Generator🔐Bcrypt🔏HMAC📊Barcode Generator🏷️Meta Tags Generator📱QR Code
← View all security toolsBrowse all categories

Showing 8 of 94 related tools

Last updated:

Time-based One-Time Password generator. RFC 6238 compliant, built with Web Crypto API.