otpauth URI Parser

How to use

1. 1Paste an otpauth:// URI into the input area. You can get one by scanning a 2FA QR code with the QR Code Decoder, exporting from a password manager, or copying it from an enrollment endpoint.
2. 2Read the Parsed fields table for the type, label issuer, account, issuer query, secret (with bit length), algorithm, digits, and period or counter. Each field has a hint and copy button.
3. 3Check the validation list. Errors are red and block code generation; warnings are amber and explain compatibility caveats (Google Authenticator only displays 6 digits, only honors SHA-1, only uses 30 second periods).
4. 4For TOTP URIs, watch the live preview: current code, previous code, next code, and a countdown bar showing how many seconds remain in the period. Compare against your authenticator app to confirm the secret matches.
5. 5For HOTP URIs, read the counter table: the code at the URI counter plus the next five codes a HOTP authenticator will advance through.
6. 6Use the Normalized URI to copy a clean canonicalized version (uppercase Base32, no padding, default values elided) for use elsewhere. Use the Manual entry values to add the same account by hand to an app that does not accept otpauth links.
7. 7Switch to Batch parse to inspect a whole list of otpauth URIs at once. Useful when auditing an authenticator export or reviewing a backup before importing it.

About this tool

otpauth URI Parser decodes the Google Authenticator Key URI Format, the de facto standard scheme used by every popular 2FA setup link. Paste an otpauth:// URI (the one your QR code decoded to, the one a password manager exported, or the one your server emitted during enrollment) and the tool splits it into the eight standard fields: type (totp or hotp), label issuer, account, issuer query parameter, secret, algorithm, digits, and period or counter. Each field is validated against the published spec at https://github.com/google/google-authenticator/wiki/Key-Uri-Format and against the RFC 4226 plus RFC 6238 grammars that authenticator implementations rely on. Common mistakes are flagged with targeted messages: a missing secret, a counter that should not appear on a TOTP URI, a period that should not appear on a HOTP URI, a Base32 secret with lowercase letters or padding or whitespace that some authenticators reject, an algorithm or digits value that Google Authenticator silently ignores, a label issuer that disagrees with the issuer query parameter, a secret shorter than the RFC 4226 minimum of 128 bits, and an unknown query parameter that is not part of the spec. For TOTP URIs the tool computes the current, previous, and next codes live in your browser using SubtleCrypto HMAC and a countdown bar so you can confirm the URI matches what your authenticator app is showing right now. For HOTP URIs the tool shows the code at the starting counter and the next five consecutive codes. A batch mode accepts a list of URIs (one per line) and produces a compact per-row table so you can audit an entire authenticator export at once. A manual entry panel reformats the secret with the standard 4-character grouping that Google Authenticator prints under a QR code for setup-by-hand, plus separate copy buttons for the secret, the issuer, the account, the algorithm, the digits, and the period or counter. The normalized URI output canonicalizes the secret (uppercase, no padding, no whitespace), drops parameters that are at their defaults, and is safe to feed into any authenticator that accepts otpauth links. Useful for migrating accounts between Google Authenticator, Authy, 1Password, Bitwarden, Microsoft Authenticator, Duo Mobile, FreeOTP, Aegis, and Raivo; for debugging custom 2FA backends that emit otpauth URIs; for security audits that need to verify the parameters baked into a QR code; and for recovering the underlying secret before deleting an authenticator entry. Parsing, validation, and code computation all run locally; the URIs you paste here and the secrets they contain never leave your device.

Free to use. Works in your browser. No signup, no login.