TOTP Code Generator
Developer
TOTP (Time-based One-Time Password, RFC 6238) is the algorithm behind Google Authenticator, Authy, 1Password's 2FA codes, and most enterprise multi-factor systems. Paste the Base32 secret your service gave you when you set up 2FA — the same string encoded in the QR code — and this tool shows the current six-digit code, a live ring counting down the seconds until the next rotation, and the upcoming code so you can plan around the rotation boundary. Digits (6/7/8), period (15/30/60/120 seconds), and HMAC hash (SHA-1, SHA-256, SHA-512) are all configurable to match whatever flavor your service uses; defaults match the Google Authenticator spec. Everything is computed in your browser using the Web Crypto API; no secrets are ever sent over the network. This tool is meant for testing your own 2FA setups, recovering codes from secrets you control, or building/debugging authenticator flows — not for bypassing authentication on accounts you don't own.
How to use
- Paste your Base32 TOTP secret (the long string of letters and digits from setup) into the secret field. Spaces and dashes are tolerated.
- Match the digits, period, and algorithm settings to whatever your service uses. The Google Authenticator defaults are 6 digits / 30 s / SHA-1.
- Read off the current code; click it to copy. Watch the countdown ring — when it's near zero, glance at the 'Next' panel so you can choose whether to use the current or upcoming code.
- If the code is rejected, double-check that the device's clock is synchronized — TOTP depends on Unix time being correct to the second.
Frequently asked questions
- Is this safe to use? Will my secret be sent anywhere?
- Nothing leaves your browser. The Base32 decode and the HMAC-SHA computation both run via the Web Crypto API on your device. Inspect the network tab if you want to confirm. That said, treat any TOTP secret like a password — paste it only into tools you trust, and never share screenshots that expose the secret string.
- Which settings should I pick?
- Default values (6 digits, 30 seconds, SHA-1) match the Google Authenticator spec and work with most services. Some banks and enterprise systems use 8 digits, 60 seconds, or SHA-256 / SHA-512 — they'll usually mention this during setup, or you'll see it in the otpauth:// URI. Mismatched parameters silently produce wrong codes.
- My code is rejected — what's wrong?
- Most often it's a clock-sync issue. TOTP uses your device's Unix time, so if your laptop is more than ~30 seconds off real time, every code will fail. Sync your clock (most OSes do this automatically; check NTP settings). Other causes: wrong digits / period / algorithm, missing or extra characters in the secret, or the secret was for a different account.
- What's the difference between TOTP and HOTP?
- HOTP (RFC 4226) increments a counter every time you press 'next code'; you and the server have to stay in sync on that counter. TOTP (RFC 6238) replaces the counter with the current Unix time divided by the period — so the code rotates automatically. Modern 2FA almost universally uses TOTP.
- Can I import a QR code or otpauth:// URI?
- Not in this tool — paste the Base32 secret directly. If you have an otpauth:// URI, the secret is the value after 'secret=' in the query string. If you only have a QR code image, scan it with a separate decoder first, then paste the secret here.
Related tools
JWT Decoder
Decode a JSON Web Token to inspect its header, claims, and expiration.
UUID Generator
Generate random version-4 UUIDs in bulk, with copy.
Hash Generator (SHA)
Generate SHA-1, SHA-256, SHA-384, and SHA-512 hashes from text.
URL Encoder / Decoder
Percent-encode text for URLs, or decode encoded URLs back to text.
Base64 Encoder / Decoder
Encode text to Base64 or decode Base64 back to text, instantly.
JSON Formatter & Validator
Format, beautify, minify, and validate JSON right in your browser.