Base32-encoded secret from your authenticator app or 2FA setup page
Ready to generate
Paste your Base32 secret key and click Generate// generate 2fa totp codes from your secret key
Generate time-based one-time passwords (TOTP) from a secret key for 2FA testing and development. RFC 6238 compliant, browser-based, no data sent to server.
Ready to generate
Paste your Base32 secret key and click GeneratePaste your Base32-encoded TOTP secret from your authenticator app setup page or QR code scan.
Select the algorithm (SHA-1 is standard), code length (6 or 8 digits), and time step period.
Click Generate to see the current TOTP code. Use Live mode for auto-refresh every second.
TOTP (Time-Based One-Time Password) is an algorithm defined in RFC 6238 that generates short-lived numeric codes using a shared secret and the current time. It powers Google Authenticator, Authy, and most 2FA systems.
No. All TOTP computation happens entirely in your browser using the Web Crypto API. Your secret key never leaves your device. No data is transmitted to any server.
The most common cause is clock skew — your system time must be accurate. Also verify you're using the correct algorithm (SHA-1 is standard for Google Authenticator), digits (6), and period (30s).
Base32 is an encoding scheme using the characters A-Z and 2-7. TOTP secrets are typically stored and shared in Base32 format. The secret is often shown as a string like JBSWY3DPEHPK3PXP in QR code setup pages.
This tool supports SHA-1 (the most common, used by Google Authenticator), SHA-256, and SHA-512. Most services use SHA-1 with 6-digit codes and a 30-second period.
Many TOTP implementations accept the adjacent time windows (±1 period) to account for clock drift between client and server. Seeing all three codes helps you test window tolerance in your system.
Yes. Enter a Unix timestamp in the Custom Timestamp field to generate the TOTP code for any specific point in time. Leave it empty to use the current system time.
A TOTP Code Generator is a developer tool that computes Time-Based One-Time Passwords (TOTP) from a shared secret key. TOTP is the algorithm behind nearly every modern two-factor authentication (2FA) system, including Google Authenticator, Authy, Microsoft Authenticator, and hardware tokens like YubiKey.
This tool implements RFC 6238 — the IETF standard for TOTP — entirely in the browser using the Web Crypto API. No secret key data is ever transmitted to a server, making it safe for development and testing workflows.
💡 Looking for premium web development assets? MonsterONE offers unlimited downloads of templates, UI kits, and security-focused web components — worth checking out.
TOTP extends HOTP (HMAC-Based One-Time Password, RFC 4226) by replacing the counter with a time-based value. The algorithm works as follows:
T = floor(timestamp / period).The TOTP standard defines several configurable parameters:
When integrating TOTP-based 2FA into a web application, developers frequently need to generate valid codes during testing without relying on a mobile authenticator app. This tool fills that gap by computing codes directly in the browser.
Common testing scenarios include:
TOTP secrets should be treated like passwords. Never expose them in client-side code, log files, or version control. Use environment variables or a secrets manager in production. The 30-second window is intentional — it provides a balance between usability and security, limiting the window during which a code could be replayed.
This tool performs all cryptographic operations using the browser's native Web Crypto API (SubtleCrypto.sign), which is FIPS-compliant in modern browsers. No third-party cryptography libraries are loaded.
TOTP secrets are distributed in Base32 encoding because it uses a restricted character set (A-Z, 2-7) that is unambiguous in both uppercase and lowercase and avoids confusing characters like 0/O and 1/l/I. When a user scans a QR code to set up 2FA, the secret embedded in the otpauth://totp/ URI is Base32-encoded.
This tool automatically normalizes your input by removing spaces, converting to uppercase, and stripping any non-Base32 characters before decoding. A validation error is shown if the decoded secret is empty or malformed.
HOTP (RFC 4226) uses an event-based counter that increments with each use. TOTP (RFC 6238) uses a time-based counter synchronized to UTC. TOTP is preferred for most consumer 2FA because it doesn't require state synchronization between the authenticator and the server — both parties can independently compute the expected code from the current time and the shared secret.