Skip to content
Processing locally — files never leave your device

TOTP Generator

Paste a Base32 secret and get a live TOTP code — the same algorithm used by Google Authenticator and 1Password. Runs entirely in your browser.

Same format apps like Google Authenticator and 1Password store.

Current TOTP
--- ---
Refreshes in 0s

How to use TOTP Generator

  1. Find the Base32 secret a site gives you when enrolling in two-factor authentication — it is the string behind the "can't scan the QR code?" link.
  2. Paste that secret into the input box. Spaces and lowercase letters are handled automatically.
  3. Read the current 6-digit TOTP code shown in large digits.
  4. Watch the progress bar — the code refreshes every 30 seconds, the standard TOTP window.
  5. Copy the code and enter it into the site before the timer runs out.

How time-based one-time passwords (TOTP) work

When a website asks you to enable two-factor authentication and shows a QR code, it is almost always setting up TOTP — the Time-based One-Time Password algorithm defined in RFC 6238. This is the same mechanism behind Google Authenticator, Authy, 1Password, and Microsoft Authenticator. This tool implements that exact algorithm in your browser so you can see a live code from any Base32 secret.

The algorithm in plain terms

TOTP combines two ingredients: a shared secret (the Base32 string behind the QR code) and the current time. The steps are:

  • Take the number of seconds since 1 January 1970 and divide by 30 to get a counter that ticks once every 30 seconds.
  • Compute an HMAC-SHA1 of that counter using the shared secret as the key.
  • Apply "dynamic truncation" to pull a 31-bit number out of the HMAC, then take it modulo 1,000,000 to land on a 6-digit code.

Because the server holds the same secret and reads the same clock, it runs the identical calculation and expects the identical code — with no message ever passing between you and the server. That offline property is what makes TOTP resilient and easy to deploy.

TOTP versus HOTP

TOTP is built on top of HOTP (RFC 4226), the original HMAC-based one-time password. The only difference is the moving part: HOTP uses an event counter that increments each time you request a code, while TOTP uses time itself as the counter. Time-based codes win in practice because there is nothing to keep in sync except the clock, and clocks are easy to synchronize.

The 30-second window and clock skew

The default period is 30 seconds, which is why this tool shows a draining progress bar. A short window means a code intercepted by an attacker is useless almost immediately. Servers usually accept the code from the adjacent window too, to tolerate small clock differences between your device and theirs. If your codes are consistently rejected, the culprit is nearly always an inaccurate device clock — sync it to network time and try again.

Good practices for two-factor authentication

  • Save your backup codes. If you lose access to your TOTP secret you can be locked out; recovery codes are your fallback.
  • Keep the secret secret. Anyone who copies your Base32 secret can generate your codes forever, so protect it like a password.
  • Prefer a hardware key for high-value accounts. FIDO2/WebAuthn keys resist phishing in ways that typed TOTP codes cannot.
  • Use this tool for testing and backups — and a dedicated app or device as your everyday authenticator.

Related security tools

  • Password Generator — the first factor that a TOTP code is meant to back up; make it strong and unique.
  • Random Token Generator — produces the same kind of high-entropy shared secret that seeds a TOTP enrollment.
  • Passphrase Generator — a memorable master credential for the vault where you keep your 2FA backup codes.

Frequently asked questions

What is TOTP and how does it work?
TOTP (Time-based One-Time Password, RFC 6238) generates a short code from two inputs: a shared secret and the current time. Both the website and this tool compute an HMAC-SHA1 over the number of 30-second intervals since 1970, then truncate it to 6 digits. Because both sides use the same secret and clock, they independently arrive at the same code — no network round-trip needed.
What is the difference between TOTP and HOTP?
HOTP (RFC 4226) is the counter-based original: each code is derived from an incrementing counter that advances every time you use a code. TOTP (RFC 6238) replaces that counter with the current time divided into 30-second steps, so codes rotate automatically. Almost every modern authenticator app uses TOTP.
Why does the code change every 30 seconds?
The 30-second window (the default "period" in RFC 6238) limits how long a stolen code is useful and keeps the user and server clocks in sync. Each new 30-second interval produces a fresh code; the previous one stops working, which is what makes it "one-time."
Is this as safe as my phone's authenticator app?
For day-to-day login, a dedicated app or hardware key is the better default — it keeps the secret on a separate device, survives clearing your browser, and works offline. This web tool is best for testing TOTP integrations, scripting, and emergency backup access when your phone is unavailable.
Is my secret sent anywhere?
No. Decoding the Base32 secret and computing the HMAC-SHA1 both happen in-page through Web Crypto, so the seed never leaves the tab. That matters more here than for most tools: a TOTP secret is a permanent key, and anyone who copies it can mint your codes indefinitely — so paste it only on a device you trust and clear it when done.
My code is rejected — what went wrong?
The most common cause is a wrong system clock; TOTP depends on accurate time, so even a minute of drift can break it. Double-check that you pasted the exact secret, that the site uses the standard 30-second SHA-1 6-digit settings, and that your device clock is synced to network time.
Does this support hardware security keys?
No. Hardware keys (YubiKey and similar) use FIDO2/WebAuthn, a challenge-response protocol that is unrelated to TOTP. This tool implements the RFC 6238 TOTP algorithm that authenticator apps use, which is based on a shared secret rather than public-key cryptography.
What is the Base32 secret and why that encoding?
The secret is the shared key that seeds the algorithm. It is shown in Base32 because that alphabet (A–Z and 2–7) avoids easily-confused characters and is case-insensitive, making it practical to type by hand when you cannot scan the QR code.

More tools you might find useful in the same flow.

Built by Muhammad Tahir · About