TOTP Generator
Turn a Base32 secret into a live two-factor (TOTP) code, exactly like an authenticator app — generated in your browser. Check a 2FA setup, debug an integration, or scan the otpauth QR into your phone. Nothing is uploaded.
A QR code appears once you enter a valid secret.
About TOTP
A TOTP (Time-based One-Time Password, RFC 6238) is the six-digit code an authenticator app shows for two-factor authentication. Both your app and the server share a secret; both derive the same code from the current time, so it changes every 30 seconds without any network exchange. This page does the same maths locally — paste a Base32 secret to see the live code, or scan the QR into your phone.
Under the hood: HMAC-SHA-1 on a counter
TOTP is HMAC-SHA-1(secret, floor(unix_time / period)) truncated to N digits — a counter derived from the current Unix time, signed with your secret, then reduced to a 6 or 8-digit number. To reproduce that signature step by hand and debug a mismatch, use the HMAC Generator (select HMAC-SHA-1) with your secret and the time counter as the message.
Tips
- The secret is Base32 (letters A–Z and digits 2–7), not Base64 — spaces and lowercase are accepted.
- Most apps (Google Authenticator, Authy) use SHA-1, 6 digits and a 30-second period — change the options only if your provider asks for it.
- If a code is rejected, your device clock is probably off by more than the server's tolerance window.
- The QR encodes the secret so an authenticator app can import it — treat that image like the secret itself.
Is the secret uploaded?
No. The code is computed with the browser's native crypto.subtle HMAC, and the QR is drawn on a local canvas. Open DevTools → Network: nothing leaves your tab.