A TOTP (Time-based One-Time Password) code is a 6- or 8-digit number that changes every 30 or 60 seconds. It is generated from a shared secret and the current time using HMAC-SHA1 (or SHA-256/512), as defined in RFC 6238. TOTP is the standard algorithm behind Google Authenticator, Authy, and Microsoft Authenticator.

What Base32 alphabet does TOTP use?

TOTP secrets use the RFC 4648 Base32 alphabet: the uppercase letters A–Z followed by the digits 2–7. Padding characters (=) are optional. Most authenticator apps display and accept secrets in this format.

Can I use SHA-256 or SHA-512 with Google Authenticator?

Google Authenticator only supports SHA-1. However, many apps such as Authy and andOTP support SHA-256 and SHA-512. If you need cross-app compatibility, stick with SHA-1, 6 digits, and a 30-second period — which are the default settings for this tool.

What is the otpauth URI format?

The otpauth URI (e.g. otpauth://totp/Issuer:account?secret=XXX&issuer=YYY&algorithm=SHA1&digits=6&period=30) is a standard format used to provision authenticator apps. Scanning the QR code generated from this URI adds the account to the authenticator app automatically.

Is it safe to generate TOTP codes in the browser?

This tool is safe for testing and development — all computation runs locally using the Web Crypto API and no data leaves your browser. However, for real production accounts you should always use a dedicated, offline authenticator app and never enter a live 2FA secret into any website.

Free Tool

TOTP Generator

Generate and test TOTP 2FA codes online. Configure algorithm, digits, and period. Includes QR code output compatible with Google Authenticator and Authy.

This tool is for testing and development only. Never use a web-based tool to generate TOTP codes for real accounts — use a dedicated authenticator app.

TOTP Generator

Base32 Secret Key

Algorithm

Digits

Period (seconds)

Account Name

Issuer

Current TOTP Code

--- ---

0s seconds remaining

QR Code

Enter a valid secret

otpauth URI

otpauth://totp/MyApp%3Atest%40example.com?secret=JBSWY3DPEHPK3PXP&issuer=MyApp&algorithm=SHA1&digits=6&period=30

Your secret stays in your browser — no data is sent to any server.

What is TOTP?

TOTP (Time-based One-Time Password) is a widely-used 2FA algorithm defined in RFC 6238. It generates a short numeric code from a shared secret and the current time, refreshing every 30 or 60 seconds. Apps like Google Authenticator, Authy, and Microsoft Authenticator all use TOTP.

How the algorithm works

The tool computes floor(currentUnixTime / period) as an 8-byte counter, then runs HMAC-SHA1 (or SHA-256/512) over it using the Base32-decoded secret. Dynamic truncation extracts a 4-byte window from the HMAC output, and the result is reduced to 6 or 8 digits with modulo 10^digits.

How to use

Paste your Base32 secret key, or click 'Generate Random Secret' to create a test secret.
Optionally adjust the algorithm (SHA-1/256/512), number of digits (6 or 8), and period (30s or 60s).
Copy the generated TOTP code or scan the QR code with an authenticator app.
The code auto-refreshes every second; the progress bar shows time remaining.

Your secret stays in your browser — no data is sent to any server.

Frequently Asked Questions

What is a TOTP code?: A TOTP (Time-based One-Time Password) code is a 6- or 8-digit number that changes every 30 or 60 seconds. It is generated from a shared secret and the current time using HMAC-SHA1 (or SHA-256/512), as defined in RFC 6238.
What Base32 alphabet does TOTP use?: TOTP secrets use the RFC 4648 Base32 alphabet: the uppercase letters A–Z followed by the digits 2–7. Padding characters (=) are optional. Most authenticator apps display and accept secrets in this format.
Can I use SHA-256 or SHA-512 with Google Authenticator?: Google Authenticator only supports SHA-1. However, many apps such as Authy and andOTP support SHA-256 and SHA-512. If you need cross-app compatibility, stick with SHA-1, 6 digits, and a 30-second period.
What is the otpauth URI format?: The otpauth URI (e.g. otpauth://totp/Issuer:account?secret=XXX&issuer=YYY&algorithm=SHA1&digits=6&period=30) is a standard format used to provision authenticator apps. Scanning the QR code adds the account automatically.
Is it safe to generate TOTP codes in the browser?: This tool is safe for testing and development — all computation runs locally using the Web Crypto API and no data leaves your browser. However, for real production accounts you should always use a dedicated, offline authenticator app.

Related Tools

Hash Generator

Generate MD5, SHA-1, SHA-2, SHA-3, and Argon2 hashes — browser-side, no upload

Password Generator

Generate strong random passwords with entropy scoring

UUID Generator

Generate cryptographically random UUID v4 identifiers