Ctrl + K
Security

OTP / TOTP Generator

Generate time-based one-time passwords (TOTP) compliant with RFC 6238. Create 2FA codes, generate random keys, and export setup QR codes for authenticator apps — entirely in your browser.

Current Code
———
30s
Configuration

All TOTP computation runs entirely in your browser using the Web Crypto API. Your secret key is never transmitted to any server. The QR code is generated client-side using the standard otpauth:// URI format.

Two-factor authentication (2FA) is the single most effective defense against account takeover, and time-based one-time passwords (TOTP) are the most widely deployed 2FA mechanism in the world. Defined in RFC 6238, TOTP generates a new numeric code every 30 seconds using a shared secret and the current time — no SMS, no email, no internet connection required once the secret is established. Our free OTP / TOTP Generator implements the full RFC 6238 specification in your browser using the Web Crypto API. Generate codes, create random Base32 secrets, configure custom digit lengths and time periods, and export standard otpauth:// URIs with scannable QR codes for Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden, and any other TOTP-compatible app — all without sending a single byte to a server.

How Does TOTP Work?

TOTP (Time-Based One-Time Password) combines a shared secret key with the current Unix timestamp to produce a short numeric code that changes at fixed intervals — typically every 30 seconds. The algorithm works in three steps:

  1. Calculate the counter: Divide the current Unix time by the time step (e.g., 30 seconds) and take the integer result. This produces a value that increments once per period.
  2. Compute HMAC: Apply HMAC-SHA1 (the default hash algorithm) to the counter value using the Base32-decoded secret key. This produces a 20-byte hash that cryptographically binds the secret to the current time window.
  3. Dynamic Truncation: Extract a 31-bit integer from the HMAC output at an offset determined by the last nibble of the hash, then take the modulus with 10d (where d is the desired number of digits) to produce the final code.

This design ensures that both parties — the user's authenticator app and the service they're logging into — can independently compute the same code at the same time, as long as they share the secret and have roughly synchronized clocks. The standard allows for a one-step clock skew grace period (accepting the previous or next code) to accommodate minor time differences.

How to Use the TOTP Generator

  1. Set the secret key — Paste an existing Base32 secret or click "Random" to generate a new cryptographically secure one. The secret is displayed as a Base32-encoded string, which is the standard format used by all authenticator apps and service providers.
  2. Configure issuer and account — Enter the service name (e.g., "GitHub", "AWS", "Google") and your account identifier (username or email). These fields populate the otpauth:// URI and QR code label.
  3. Adjust digits and period — Most services use 6-digit codes with a 30-second period (the RFC 6238 defaults). Some enterprise configurations require 7 or 8 digits or a 60-second window. Select the settings that match your target service.
  4. Read the live code — The 6-digit OTP displays prominently at the top of the page with a real-time countdown bar. When the timer reaches 5 seconds, the code turns red to indicate it's about to rotate.
  5. Export to authenticator app — Copy the otpauth:// URI to your clipboard, or click "Show QR Code" to display a scannable QR code. Scan it with Google Authenticator, Authy, 1Password, Bitwarden, or your preferred TOTP app for instant setup.

Key Features

  • RFC 6238 Compliant

    Full implementation of the TOTP standard using HMAC-SHA1, with proper counter calculation and dynamic truncation.

  • Live Countdown Timer

    Visual progress bar and second counter show exactly when the current code expires. Turns red in the final 5 seconds.

  • Random Key Generation

    Generate cryptographically secure 20-byte Base32 secrets at the click of a button using the Web Crypto API's CSPRNG.

  • QR Code Export

    Generate a scannable QR code for instant authenticator app setup. Compatible with Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden.

  • Custom Digits & Period

    Support for 6, 7, and 8-digit codes with 30 or 60-second periods to match any service's configuration.

  • 100% Client-Side

    All cryptography runs in your browser using Web Crypto. Secrets never leave your device — no server communication whatsoever.

  • Standard otpauth:// URI

    Generates the universal otpauth:// URI format accepted by all TOTP-compatible applications with one-click copy.

  • Instant Updates

    The live code updates every 500ms for near-instant reflection when the counter changes. Real-time feedback as you edit the secret.

When to Use a TOTP Generator

  • Setting Up 2FA on a New Service: Generate a secret key and scan the QR code into your authenticator app. Verify the code matches what the service expects during setup.
  • Testing TOTP Implementations: If you're building a service that supports TOTP-based 2FA, use this tool to generate known codes from a known secret to verify your server-side verification logic.
  • Recovering Access: If you have a backup of your TOTP secret (e.g., from a recovery code sheet or password manager), you can generate codes without a phone or authenticator app.
  • Learning and Education: Understanding how TOTP works is valuable for security professionals, developers implementing 2FA, and students studying applied cryptography. Step through the algorithm with a known secret to see each phase in action.
  • Cross-Platform Verification: Verify that your authenticator app is producing the correct code by comparing its output with the generator — useful when debugging time synchronization issues.

Frequently Asked Questions

Is my secret key safe when using this tool?
Absolutely. The entire TOTP computation — Base32 decoding, HMAC-SHA1 hashing, dynamic truncation, and QR code generation — runs entirely in your browser. Your secret key is never transmitted over the network, never stored on any server, and never logged. You can verify this by disconnecting your internet after the page loads; the tool will continue generating codes without interruption. For production 2FA, always store your secrets in a trusted authenticator app or password manager.
What is the difference between TOTP and HOTP?
HOTP (HMAC-Based OTP) uses a counter that increments with each generated code, regardless of time. Codes remain valid until the next one is requested. TOTP (Time-Based OTP) replaces the counter with the current Unix timestamp divided by a time step. TOTP codes expire automatically after each period — typically 30 seconds — making them more secure against replay attacks. TOTP is the dominant standard and what most people mean when they say "2FA code" or "authenticator code." Our tool implements TOTP per RFC 6238.
Why is the secret encoded in Base32?
Base32 encoding (using the characters A-Z and 2-7) was chosen for TOTP secrets because it produces a compact, case-insensitive representation that's easy to type on any keyboard and avoids ambiguous characters (0 vs O, 1 vs I vs L). It's the standard format used in the otpauth:// URI scheme and by Google Authenticator. A typical TOTP secret is 16-32 Base32 characters, representing 10-20 raw bytes.
What happens if my phone's clock is wrong?
TOTP relies on synchronized clocks. If your phone's clock is significantly off, the generated codes won't match what the server expects. Most services allow a grace period of one time step in either direction (previous or next code). If you're consistently getting invalid codes, check your phone's date and time settings — most modern smartphones automatically sync via NTP, so this issue is rare. Our tool uses your browser's local clock, which is typically synced with your operating system's time source.
Can I use this instead of a dedicated authenticator app?
This tool is designed for testing, development, and educational purposes. For production use, we strongly recommend a dedicated authenticator app (Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden) or a hardware security key. Dedicated apps offer features like encrypted backup, multi-device sync, biometric unlock, and phishing-resistant authentication that this browser-based tool doesn't provide. Use this generator to verify your setup, debug implementations, or generate codes from a backed-up secret.

Related Tools

Password Generator

Generate strong, cryptographically secure passwords with customizable length and character sets.
Hash Generator

Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes from text input.
Bcrypt Generator

Generate bcrypt hashes with configurable salt rounds for secure password storage.
JWT Decoder

Decode and inspect JWT token headers and payloads entirely in your browser.