TOTP Generator

How to use

1. 1Paste a Base32 secret into the input area, or click Generate random secret to create a fresh test secret in your browser.
2. 2Pick the algorithm, digit count, and period that match the server you are testing. The defaults (SHA-1, 6 digits, 30 seconds) match Google Authenticator and most consumer 2FA setups.
3. 3Watch the current code update in real time. The progress bar shows how many seconds remain before the code rolls to the next window.
4. 4Use the verify panel to check a code typed by a user against the previous, current, and next windows so clock-skew issues are easy to spot.
5. 5Optionally fill in an issuer and account name to build an otpauth:// URI, then pass that URI to the QR Code Generator to scan it into any authenticator.

About this tool

TOTP Generator computes Time-Based One-Time Passwords from any Base32 shared secret, the same way Google Authenticator, Authy, 1Password, Microsoft Authenticator, FreeOTP, and every RFC 6238 conformant server library does. The math is small and standardized: counter = floor(unix-time / period), HMAC the counter with the secret, dynamically truncate to a 31-bit integer, and reduce modulo 10^digits. The browser's native Web Crypto API performs the HMAC, so SHA-1, SHA-256, and SHA-512 are all supported and your secret never leaves the device. The output panel shows three codes side by side: the previous, current, and next window. That mirrors what every server validates against to tolerate a few seconds of clock skew between the user's authenticator and the server. A live progress bar and a real-time seconds-remaining counter on the current window make it easy to see when the code is about to roll over. A verify panel accepts a code typed by a user and reports which window it matched, so debugging a failing 2FA setup becomes a one-glance task. The tool also builds an otpauth:// provisioning URI from the secret, issuer, and account, ready to drop into a QR code that any authenticator can scan. Algorithm, digits (6, 7, or 8), and period (30, 60, or 90 seconds) are all configurable so the tool can stand in for an authenticator across the most common variations. A diagnostics panel shows the unix time, computed counter T, time remaining in the current window, and the decoded secret length in bytes and bits, which is everything you need to align this tool's output with any server library, command line tool such as oathtool, or library such as PyOTP, otplib, or speakeasy. Useful for testing 2FA code paths, validating an authenticator's clock against a server, recovering temporary access during onboarding, building or debugging an authenticator app, comparing TOTP and HOTP behavior, and sanity-checking a RFC 6238 implementation against a known-good reference. Works locally in your browser with no signup, no upload, and no external API call.

Free to use. Works in your browser. No signup, no login.