TOTP Generator

Generate two-factor authentication (TOTP) one-time passcodes from a Base32 secret key, entirely in your browser.

Input data is processed in your browser
Data is never sent to a server

Tool

Enter the Base32 secret key shown when you set up an authenticator app. It's processed entirely in your browser and never stored or transmitted.

What is the TOTP Generator?

This tool generates one-time passcodes from a Base32 secret key using the same algorithm (RFC 6238) as TOTP apps like Google Authenticator. It’s useful for testing two-factor authentication flows in an app you’re developing, or for quickly checking a backup code.

Key Features

  • Supports HMAC-SHA1 / SHA-256 / SHA-512
  • Choose between 6 and 8-digit codes
  • Choose between 30 and 60-second refresh intervals
  • Countdown indicator showing time remaining
  • One-click copy to clipboard

About Security

Secret key input and code generation happen entirely in your browser — nothing is sent externally. This tool also does not persist the secret key in localStorage, so your input is cleared when you leave the page.

How to Use

  1. Paste the Base32 secret key shown when you set up an authenticator app.
  2. Adjust the algorithm (SHA-1/SHA-256/SHA-512), digit count, and refresh interval if needed.
  3. A 6 or 8-digit one-time passcode is displayed in real time and refreshes automatically based on the countdown.
  4. Click the code or use the copy button to copy it to your clipboard.

FAQ

What is TOTP?

TOTP (Time-based One-Time Password) is an algorithm that generates a one-time password from a shared secret key and the current time (RFC 6238). It's the mechanism behind two-factor authentication apps such as Google Authenticator, Authy, and 1Password.

Is my secret key sent to a server?

No. All computation happens locally in your browser using the Web Crypto API. Your secret key is never sent to or stored on a server.

Why doesn't the code match my authenticator app?

A mismatched device clock is the most common cause, since TOTP is calculated from the current time. Make sure your device's clock is accurately synced, and check that the algorithm, digit count, and refresh interval match the service's settings.

Can I use this for production two-factor authentication?

This tool is intended for testing and development/debugging purposes. For everyday two-factor authentication, we recommend a dedicated authenticator app (Google Authenticator, Authy, etc.) or a password manager.