HOTP Generator

How to use

1. 1Paste a Base32 secret into the input area, or click Generate random secret to create a fresh test secret in your browser. Load sample uses the RFC 4226 test secret so the codes match the published reference values.
2. 2Enter the counter (the moving factor). HOTP counters start at 0 and increase by one each time a code is used. Use the plus and minus buttons to step through the sequence like a token does.
3. 3Pick the algorithm and digit count to match the token or server you are testing. SHA-1 with 6 digits is the RFC default and matches almost every OATH-HOTP token.
4. 4Read the HOTP code for your counter at the top, and use the lookahead window below to see the next consecutive codes a server would accept while resynchronising a drifted token.
5. 5Use the verify panel to paste a code and search the current counter and lookahead window for it; the result shows which counter matched and how far ahead it is.
6. 6Optionally fill in an issuer and account name to build an otpauth:// HOTP URI, then pass that URI to the QR Code Generator to scan it into an authenticator.

About this tool

HOTP Generator computes HMAC-Based One-Time Passwords, the counter-based one-time password defined by RFC 4226, from any Base32 shared secret and an explicit counter value. HOTP is the event-based sibling of TOTP: instead of deriving the moving factor from the clock, it uses a counter that increments by one every time a code is consumed. It is the algorithm behind OATH-HOTP hardware tokens (such as YubiKey OATH-HOTP slots and programmable c-series keys), many bank and VPN tokens, and any entry an authenticator labels event-based rather than time-based. The truncation math is identical to TOTP: HMAC the 8-byte big-endian counter with the secret, take the dynamic-truncation offset from the low nibble of the last byte, read a 31-bit integer from there, and reduce modulo 10 to the power of the digit count. The browser's native Web Crypto API performs the HMAC, so SHA-1, SHA-256, and SHA-512 are all supported and the secret never leaves your device. This implementation has been checked against the RFC 4226 Appendix D reference vectors, and the tool ships that exact test secret as its sample, so counters 0 through 9 display the published values (755224, 287082, 359152, and so on) and you can confirm correctness at a glance. The main output shows the code for the counter you enter, with plus and minus buttons to walk the sequence the way a token advances after each press. Below it, a configurable lookahead window lists the next 5, 10, or 20 consecutive counters and their codes, which is exactly the window a server walks to resynchronise a token whose counter has drifted ahead, per RFC 4226 section 7.4. A verify panel takes a code typed by a user and searches the current counter and the lookahead window for a match, reporting which counter produced it and how far ahead it is, so a desynchronised token is easy to diagnose. The tool also builds an otpauth:// provisioning URI of type hotp (carrying a counter parameter rather than the period parameter a TOTP URI uses), ready to drop into a QR code that an authenticator can scan. Algorithm, digit count (6, 7, or 8), counter, and lookahead size are all configurable. Useful for testing event-based 2FA code paths, debugging a custom HOTP backend, resynchronising or auditing a hardware token, learning how HOTP differs from TOTP, and sanity-checking a library such as PyOTP, otplib, the OATH Toolkit, or oathtool against a known-good reference. This tool is for testing, debugging, and learning: use development or test secrets you generated yourself, never the secret behind a real account. Everything runs locally in your browser with no signup, no upload, and no external API call.

Free to use. Works in your browser. No signup, no login.