TOTP 2FA Code Generator

Generate live TOTP codes from a Base32 secret key, verify existing codes, or create an otpauth:// URI for QR scanning. 100% client-side.

Base32 Secret
Digits
Period
------
Enter a secret key above
Enter a Base32 secret key to generate a TOTP code.

How to Use the TOTP Generator

  1. Paste your Base32 secret — find it in your 2FA setup page, usually shown as a text code below the QR code.
  2. Watch the live code — a 6-digit code appears and updates automatically every 30 seconds. A countdown ring shows time remaining.
  3. Match settings — set digits (6 or 8) and period (30 or 60 seconds) to match your service's configuration. Most services use 6 digits and 30 seconds.
  4. Verify a code — switch to Verify mode to check if a specific code is valid for the current time window.
  5. Generate a QR URI — switch to QR Setup to generate an otpauth:// URI you can convert to a QR code for scanning.

How TOTP Works

TOTP (Time-based One-Time Password) is defined in RFC 6238 and builds on HMAC-OTP (RFC 4226). The algorithm works as follows:

  1. Divide the current Unix timestamp by the period (30 seconds) to get the time counter T.
  2. Compute HMAC-SHA1 of T (as an 8-byte big-endian integer) using the shared Base32-decoded secret key.
  3. Take the last nibble (4 bits) of the HMAC as an offset.
  4. Extract a 31-bit integer from the HMAC starting at the offset.
  5. Take that number modulo 10^digits to get the final code (padded with leading zeros if needed).

Both your device and the server independently perform this computation at the same time, producing the same result without any network communication. This is what makes TOTP both secure and offline-capable.

Base32 Format

TOTP secrets are encoded in Base32 — an encoding that uses only uppercase letters A–Z and digits 2–7 (no 0, 1, 8, or 9 to avoid visual confusion). When you set up 2FA on a service, you typically see a QR code. Behind that QR code is an otpauth:// URI that contains your Base32 secret. Most services also show the raw Base32 text as a backup in case you cannot scan the QR code. Common secret lengths are 16 characters (80-bit) or 32 characters (160-bit).

Why 30 Seconds?

The 30-second window is a balance between security and usability. Shorter windows (like 10 seconds) would make clock drift a bigger problem. Longer windows (like 60 or 120 seconds) would give attackers more time to use a stolen code. Most TOTP implementations accept the current window plus one window on each side to account for clock drift — giving an effective validity of up to 90 seconds for a phished code. This is why it is important to combine TOTP with a strong password rather than relying on it alone.

Common TOTP Issues

  • Code not matching — most likely clock skew. Ensure your device's time is synchronized. On Windows, run w32tm /resync. On Linux/macOS, enable NTP.
  • Invalid Base32 — remove spaces and use only A–Z and 2–7 characters. Some services add spaces for readability; this tool strips them automatically.
  • Wrong digits or period — check your service's documentation. Most use 6 digits / 30s, but some enterprise apps use 8 digits or 60s periods.

For related security tools, see the HMAC Generator (TOTP uses HMAC internally), the Password Hasher, and the Base64 Encoder.

Frequently Asked Questions

TOTP (Time-based One-Time Password) is a two-factor authentication algorithm defined in RFC 6238. It generates a short numeric code (typically 6 digits) that changes every 30 seconds, derived from the current Unix timestamp and a shared secret key using HMAC-SHA1. Apps like Google Authenticator, Authy, and Bitwarden all implement TOTP.
This tool runs entirely in your browser — no data is sent to any server. However, treat your TOTP secret with care. This tool is intended for developers testing their own 2FA implementations or recovering access. For production 2FA, prefer a dedicated authenticator app stored in a secure password manager.
TOTP secrets are encoded in Base32 (uppercase letters A-Z and digits 2-7, with optional spaces for readability). You get the secret when you first enable 2FA on a service — it is usually shown as a QR code with a text backup option. Copy the text string and paste it here.
The most common cause is clock skew — your device's time differs from the server. Ensure your device's time is synchronized via NTP. Other causes include wrong Base32 secret, wrong algorithm, or wrong digit count (6 vs 8). The verify mode checks current window plus one window on each side to account for minor clock drift.
An otpauth:// URI is the standard format for encoding TOTP configuration for QR scanning. Format: otpauth://totp/ISSUER:ACCOUNT?secret=BASE32SECRET&issuer=ISSUER&digits=6&period=30. Most authenticator apps can scan this URI to add a 2FA account. The QR Setup tab generates the correct URI for your parameters.