TOTP Generator

What is TOTP Generator?

The TOTP Generator is a free online tool that turns a base32 shared secret into the same time-based one-time password (TOTP) that authenticator apps like Google Authenticator, Authy, or Microsoft Authenticator produce. Developers and QA engineers use it to test two-factor authentication flows, recover access when a key from an otpauth:// URI is on hand, or verify that a 2FA setup works without scanning a QR code. It implements RFC 6238 on top of RFC 4226 HOTP, computing an HMAC-SHA1 of the time counter and applying dynamic truncation to a 6- or 8-digit code that rolls over every period. The code and the seconds-remaining countdown refresh live each second, and a one-click button mints a fresh cryptographically random base32 secret for new test accounts.

How to use TOTP Generator

1. Paste your base32 secret into the Secret field, or click Generate secret to mint a fresh random one. Spaces and hyphens are ignored.
2. Pick 6 or 8 digits to match what your service expects.
3. Set the Period in seconds (30 is the standard used by almost every authenticator app).
4. Read the current code from the Code field; it updates on its own and the countdown shows how long it stays valid.
5. Copy the code with the copy button before the countdown reaches zero, or wait for the next one to roll in.

Examples

Frequently asked questions

Is my secret uploaded anywhere?

No. The base32 secret stays in your browser. The code is computed locally with the Web Crypto API (HMAC-SHA1), and nothing is sent to or stored on any server, so the tool works offline and your secret never leaves the page.

Why doesn't my code match my authenticator app?

TOTP depends on the current time and the exact secret, digit length, and period. Check that the digits (6 vs 8) and period (usually 30 seconds) match your service, that you pasted the full secret, and that your device clock is accurate, since a large clock skew shifts the code.

What format does the secret need to be in?

A base32 string using the letters A-Z and digits 2-7, the same encoding shown in an otpauth:// setup URI or under a QR code. Spaces, hyphens, lowercase letters, and trailing = padding are accepted; any other character is flagged as invalid.

Which algorithm and standard does this use?

It implements RFC 6238 TOTP over RFC 4226 HOTP using HMAC-SHA1, the default that virtually all authenticator apps use. SHA-256 or SHA-512 variants are not currently offered.

Can I generate a secret here instead of pasting one?

Yes. Generate secret creates a cryptographically random 20-byte key with crypto.getRandomValues and encodes it as base32, ready to register in the app you are protecting.