DevToolbox

TOTP Generator

Generate and verify Time-Based One-Time Passwords (TOTP) for two-factor authentication directly in your browser.

About This Tool

The TOTP Generator creates and verifies Time-Based One-Time Passwords as defined in RFC 6238. TOTP is the algorithm behind authenticator apps like Google Authenticator, Authy, and Microsoft Authenticator. It combines a shared secret key with the current time to produce a short-lived numeric code that changes every 30 or 60 seconds.

Enter an existing Base32-encoded secret or click Generate Random Secret to create a cryptographically strong key. The tool decodes the secret, computes an HMAC over the current time counter, and applies dynamic truncation to extract a 6- or 8-digit code. You can configure the time period (30 or 60 seconds), digit count, and hash algorithm (SHA-1 or SHA-256) to match any service's requirements.

A countdown progress bar shows how much time remains before the code rotates, and the code refreshes automatically at each window boundary. The Verify Code section lets you paste a code from an authenticator app to confirm it matches the currently displayed code — useful for testing your 2FA setup before going live.

The tool also builds the standard otpauth:// provisioning URI used to set up authenticator apps. Copy the URI and paste it into the QR Code Generator to create a scannable setup code for your users. The HMAC computation uses the browser's Web Crypto API, the same engine behind our Hash Generator.

All processing happens entirely in your browser. Your secret keys and codes are never transmitted to any server. This makes the tool safe for testing production secrets, verifying authenticator setups, and debugging 2FA integrations without exposing sensitive credentials.

How to Use

  1. Enter a Base32-encoded secret key in the Secret Key field, or click Generate Random Secret to create one.
  2. The current TOTP code appears in large text on the right, along with a countdown bar showing the remaining time in the current window.
  3. Adjust Period, Digits, and Algorithm in the Configuration panel to match your service's settings.
  4. To verify a code, paste it into the Verify Code field and click Verify (or press Ctrl+Enter).
  5. Fill in Account Name and Issuer to build a provisioning URI, then copy it to generate a QR code with our QR Code Generator.
  6. Press Ctrl+Shift+C to quickly copy the current TOTP code to your clipboard.

FAQ

Is my data safe?

Yes. All TOTP computation runs entirely in your browser using the Web Crypto API. Your secret keys and generated codes are never sent to any server, stored, or logged. You can verify this by checking your browser's network tab while using the tool.

What is TOTP and how does it work?

TOTP (Time-Based One-Time Password) is an algorithm defined in RFC 6238 that generates short-lived numeric codes from a shared secret and the current time. It divides time into fixed windows (typically 30 seconds), computes an HMAC over the window counter using the secret key, and extracts a numeric code via dynamic truncation. Both the server and your authenticator app perform the same calculation independently.

What format should the secret key be in?

The secret key must be Base32-encoded, using the characters A-Z and 2-7. This is the standard format used by authenticator apps and most 2FA services. Spaces and hyphens in the key are automatically stripped. If you have a hex-encoded secret, you will need to convert it to Base32 first.

Why does my code not match my authenticator app?

The most common cause is a time sync issue — TOTP depends on both sides having the same clock. Ensure your device's time is accurate and set to automatic. Also check that the period (30 or 60 seconds), digit count (6 or 8), and algorithm (SHA-1 or SHA-256) match your service's configuration. Most services default to SHA-1, 6 digits, and a 30-second period.

Can I use this to set up 2FA for my application?

Yes. Generate a random secret, configure the parameters to match your server's settings, and copy the provisioning URI. Paste the URI into a QR code generator so users can scan it with their authenticator app. Your server must implement the same TOTP algorithm to verify codes submitted by users.

What is the difference between SHA-1 and SHA-256 for TOTP?

SHA-1 is the default algorithm used by most authenticator apps and services (including Google Authenticator). SHA-256 provides a larger HMAC output and stronger security margin, but not all authenticator apps support it. Use SHA-1 unless your service specifically requires SHA-256.

Related Tools

Base32 Encode / Decode

Encode and decode Base32 strings. Commonly used for TOTP secrets, OTP keys, and binary-to-text encoding.

HMAC Generator

Generate HMAC signatures using MD5, SHA-1, SHA-256, SHA-384, and SHA-512 with hex or Base64 output.

Password Generator

Generate secure passwords and passphrases with entropy-based strength analysis.

QR Code Generator

Generate QR codes from text, URLs, or WiFi credentials with customizable size, colors, and error correction.

Bcrypt Generator

Generate bcrypt password hashes and verify passwords against existing hashes. Configurable salt rounds.