💻 Developer Tools

TOTP Generator (One-Time Passwords)

From a Base32 secret, generate the same time-based one-time passwords (TOTP) as authenticator apps (Google Authenticator etc.), with a live countdown. For testing 2FA and backup. The secret is never stored or sent — codes are computed with the browser's Web Crypto API.

Examples (click to try)

Spaces, lowercase and hyphens are tolerated. Your input is not stored.

Enter a Base32 secret to see the code

How to use the TOTP generator

Press one of the "Examples (click to try)" chips, or enter the Base32 secret a service gave you. It shows the code live as you type; the bar below shows time remaining and it refreshes automatically every period (30 seconds by default). Use "Copy code" for the clipboard. If the digits, period or algorithm differ from the defaults (6 digits, 30 seconds, SHA-1), set them in the menus above. Paste an otpauth:// URI and it reads the secret and settings automatically.

Example

Enter secret JBSWY3DPEHPK3PXP (6 digits, 30 seconds, SHA-1) and a 6-digit code appears that changes every 30 seconds. With a correct device clock, it matches an authenticator app set up with the same secret.

  • Digits: most services use 6. 7 and 8 are also supported.
  • Period: how often the code rotates. The standard is 30 seconds.
  • Algorithm: SHA-1 by default. Some services use SHA-256/512.
  • QR code: shows an otpauth:// QR you can import into an authenticator app (handle with care — it contains the secret).

Using it safely

  • The secret is never stored or sent (memory only; cleared on reload).
  • Don't use it on shared computers or in public. A TOTP secret is as sensitive as a password.
  • If your device clock is off, the codes won't be correct.

To create a fresh secret, see the Password Generator; to make a QR separately, the QR Code Generator helps.

FAQ

Is my secret stored or sent anywhere?
No. The secret key is used only in your browser's memory — it is not saved to localStorage or sent to any server. Reloading the page clears your input. Codes are computed entirely with the browser's Web Crypto API.
Will it match Google Authenticator?
Yes. It follows standard TOTP (RFC 6238), so with the same secret, digits, period and algorithm (defaults: SHA-1, 6 digits, 30 seconds) it produces the same codes as authenticator apps like Google Authenticator — provided your device clock is correct.
Is it OK to generate login codes here?
It is intended for testing and backup. The secret never leaves your device, but a TOTP secret should normally be kept securely in an offline authenticator app. Avoid shared computers and use it understanding what it does.