A TOTP (Time-based One-Time Password) code is a 6- or 8-digit number that changes every 30 or 60 seconds. It is generated from a shared secret and the current time using HMAC-SHA1 (or SHA-256/512), as defined in RFC 6238.

What Base32 alphabet does TOTP use?

TOTP secrets use the RFC 4648 Base32 alphabet: the uppercase letters A–Z followed by the digits 2–7. Padding characters (=) are optional. Most authenticator apps display and accept secrets in this format.

Can I use SHA-256 or SHA-512 with Google Authenticator?

Google Authenticator only supports SHA-1. However, many apps such as Authy and andOTP support SHA-256 and SHA-512. If you need cross-app compatibility, stick with SHA-1, 6 digits, and a 30-second period.

What is the otpauth URI format?

The otpauth URI (e.g. otpauth://totp/Issuer:account?secret=XXX&issuer=YYY&algorithm=SHA1&digits=6&period=30) is a standard format used to provision authenticator apps. Scanning the QR code adds the account automatically.

Is it safe to generate TOTP codes in the browser?

This tool is safe for testing and development — all computation runs locally using the Web Crypto API and no data leaves your browser. However, for real production accounts you should always use a dedicated, offline authenticator app.

Is this tool free to use?

Yes. All Skybin developer tools are free with no account, API key, or usage limits.

Does my data get sent to a server?

No. Processing runs in your browser whenever possible. Sensitive input never leaves your device unless a tool explicitly fetches a URL you provide (e.g. OG Validator).

Can I use this on mobile?

Yes. The tools work in modern mobile browsers, though a desktop screen is easier for large JSON or PDF workflows.

How is this different from desktop apps?

There is nothing to install or update. Open a bookmarked URL and start working — ideal for quick tasks during development or support calls.

Are there keyboard shortcuts?

Most tools support standard paste (Ctrl+V / Cmd+V) and select-all in text areas. Copy buttons provide one-click output.

Does Skybin store my history?

No. We do not log tool inputs or outputs. Refreshing the page clears in-memory state unless the tool encodes state in the URL.

免费工具

TOTP Generator

Generate and test TOTP 2FA codes online. Configure algorithm, digits, and period. Includes QR code output compatible with Google Authenticator and Authy.

This tool is for testing and development only. Never use a web-based tool to generate TOTP codes for real accounts — use a dedicated authenticator app.

TOTP Generator

Base32 Secret Key

Algorithm

Digits

Period (seconds)

Account Name

Issuer

Current TOTP Code

--- ---

0s seconds remaining

QR Code

Enter a valid secret

otpauth URI

otpauth://totp/MyApp%3Atest%40example.com?secret=JBSWY3DPEHPK3PXP&issuer=MyApp&algorithm=SHA1&digits=6&period=30

Your secret stays in your browser — no data is sent to any server.

What is TOTP?

TOTP (Time-based One-Time Password) is a widely-used 2FA algorithm defined in RFC 6238. It generates a short numeric code from a shared secret and the current time, refreshing every 30 or 60 seconds. Apps like Google Authenticator, Authy, and Microsoft Authenticator all use TOTP.

How the algorithm works

The tool computes floor(currentUnixTime / period) as an 8-byte counter, then runs HMAC-SHA1 (or SHA-256/512) over it using the Base32-decoded secret. Dynamic truncation extracts a 4-byte window from the HMAC output, and the result is reduced to 6 or 8 digits with modulo 10^digits.

Why use TOTP Generator online?

TOTP Generator in the browser saves context switching: no CLI install, no fragile one-liners, and instant feedback for teammates who do not live in the terminal. It is ideal for debugging, demos, and quick checks during code review.

Tips for best results

Work with a sample payload first, then paste production data. Keep privacy in mind: prefer local browser processing for secrets, tokens, and customer data. Bookmark this page for faster access next time.

How to use

Paste your Base32 secret key, or click 'Generate Random Secret' to create a test secret.
Optionally adjust the algorithm (SHA-1/256/512), number of digits (6 or 8), and period (30s or 60s).
Copy the generated TOTP code or scan the QR code with an authenticator app.
The code auto-refreshes every second; the progress bar shows time remaining.
Review the output and use Copy to paste into your editor, ticket, or chat.
Need another utility? Scroll to Related Tools below for TOTP Generator companions on skybin.io.
For a deeper walkthrough, read the linked Skybin blog article at the bottom of this page.

在线工具与终端对比

终端 / CLI	本工具
Install CLI tools or write a one-off script	Open the tool in your browser — no install
Look up flags in man pages or Stack Overflow	Paste input or upload files where supported
Repeat for each file format or edge case	Get instant visual feedback and copy buttons

Your secret stays in your browser — no data is sent to any server.

来自 Skybin 博客

Free developer tools from Skybin

在 Skybin 阅读指南

常见问题

What is a TOTP code?: A TOTP (Time-based One-Time Password) code is a 6- or 8-digit number that changes every 30 or 60 seconds. It is generated from a shared secret and the current time using HMAC-SHA1 (or SHA-256/512), as defined in RFC 6238.
What Base32 alphabet does TOTP use?: TOTP secrets use the RFC 4648 Base32 alphabet: the uppercase letters A–Z followed by the digits 2–7. Padding characters (=) are optional. Most authenticator apps display and accept secrets in this format.
Can I use SHA-256 or SHA-512 with Google Authenticator?: Google Authenticator only supports SHA-1. However, many apps such as Authy and andOTP support SHA-256 and SHA-512. If you need cross-app compatibility, stick with SHA-1, 6 digits, and a 30-second period.
What is the otpauth URI format?: The otpauth URI (e.g. otpauth://totp/Issuer:account?secret=XXX&issuer=YYY&algorithm=SHA1&digits=6&period=30) is a standard format used to provision authenticator apps. Scanning the QR code adds the account automatically.
Is it safe to generate TOTP codes in the browser?: This tool is safe for testing and development — all computation runs locally using the Web Crypto API and no data leaves your browser. However, for real production accounts you should always use a dedicated, offline authenticator app.
Is this tool free to use?: Yes. All Skybin developer tools are free with no account, API key, or usage limits.
Does my data get sent to a server?: No. Processing runs in your browser whenever possible. Sensitive input never leaves your device unless a tool explicitly fetches a URL you provide (e.g. OG Validator).
Can I use this on mobile?: Yes. The tools work in modern mobile browsers, though a desktop screen is easier for large JSON or PDF workflows.
How is this different from desktop apps?: There is nothing to install or update. Open a bookmarked URL and start working — ideal for quick tasks during development or support calls.
Are there keyboard shortcuts?: Most tools support standard paste (Ctrl+V / Cmd+V) and select-all in text areas. Copy buttons provide one-click output.
Does Skybin store my history?: No. We do not log tool inputs or outputs. Refreshing the page clears in-memory state unless the tool encodes state in the URL.