🔑 TOTP generator

Generate time-based one-time passwords (TOTP) in the browser. All processing is completed on the client side and the secret key is never sent outside the company.

Enter a valid Base32 string (A-Z, 2-7)
Enter your secret key

Usage and Application Examples

  • Confirm one-time password from secret key for two-factor authentication (2FA)
  • Use as a backup code generation tool for authentication applications
  • Generate a QR code to easily register your account with the authentication app
  • To be used to check the operation of TOTP authentication during development and testing

What is TOTP Generator?

TOTP Generator is a browser-based tool that creates one-time passwords (TOTPs) for two-factor authentication (2FA). Security-conscious users and organizations rely on time-based one-time passwords as a second authentication layer. Instead of downloading authenticator apps, this browser tool generates 6-digit or 8-digit codes directly from Base32 secret keys. Each code remains valid for a specific duration (typically 30 seconds) before expiring and generating a new one. Perfect for securing sensitive accounts without installing additional software.

How to Use

Using TOTP Generator is straightforward. First, gather your secret key—usually provided as a Base32-encoded string during account setup or as a QR code. Visit the TOTP Generator and paste your Base32 secret key into the input field. The tool immediately begins generating codes that update in real-time; watch the countdown timer showing code validity duration. Some services let you specify code length: select either 6-digit (standard, used by most services) or 8-digit (additional security for sensitive accounts). Copy the current code and paste it into your account's authentication field during login. The code automatically refreshes every 30 seconds, so if you miss the window, wait for the next code generation.

Use Cases

TOTP Generator serves security-focused users in various scenarios. First, individuals securing sensitive accounts (email, banking, crypto exchanges) rely on 2FA for protection against unauthorized access. Second, remote workers and system administrators use TOTP for secure VPN and server access without installing additional software on work devices. Third, people managing multiple accounts benefit from centralized code generation in their browser rather than juggling multiple authenticator apps. Fourth, users in restrictive environments where app installations are limited use this browser-based alternative. Fifth, development and QA teams testing two-factor authentication systems use it for quick credential verification. Finally, privacy-conscious users appreciate browser-based solutions avoiding third-party app permissions.

Tips & Insights

Secure TOTP practice requires attention. First, store Base32 secret keys securely—use a password manager or encrypted notes, never plain text. Second, the 30-second validity window is standard; if your code expires mid-login, request a new one. Third, ensure your computer's system clock is accurate; out-of-sync clocks cause code mismatches. Fourth, many services provide backup codes during TOTP setup—save these separately for account recovery. Fifth, document which service each secret key belongs to; losing this mapping makes codes useless. Sixth, never share secret keys with anyone. Finally, some services support multiple code formats; verify your tool generates the exact format your service expects.

Frequently Asked Questions

What is TOTP?

TOTP (Time-based One-Time Password) is a time-based one-time password. It is widely used in authentication applications such as Google Authenticator and Microsoft Authenticator.

What is Base32 encoding?

Base32 is an encoding scheme in which binary data is represented by 26 characters (A-Z) and 6 digits (2-7) (32 characters in total). Since it is case-insensitive, it is easy to input manually.

How long is the generated code valid?

The default setting updates the code every 30 seconds. In this tool, the update interval can be changed to 30 or 60 seconds from the settings. An on-screen countdown timer allows you to check the time remaining.

Is this tool safe?

Yes, all processing is completed within the browser and no secret key or code is sent to the server; the Web Crypto API is used to perform HMAC-SHA1/SHA-256 calculations locally.

What is the difference between 6 and 8 digits?

Six digits is the standard RFC 6238 setting and is used by most authentication apps, such as Google Authenticator; eight digits is used when higher security is required, but some services do not support it.

What can QR codes be used for?

The QR code displayed is in otpauth:// URI format and can be scanned by an authentication app such as Google Authenticator or Authy to register an account. The account name and issuer can be set for easy identification on the app.

Can I store multiple accounts in this tool?

Yes, you can add multiple TOTP secrets to generate codes for different accounts (Google, Microsoft, GitHub, etc.) all in one interface. The tool displays all your current codes in real-time, making it convenient for managing 2FA across services.

What happens if my device's clock is out of sync?

TOTP codes are based on precise time, so if your device clock is significantly off, the codes may not match what services expect. Synchronizing your system clock with an internet time server (NTP) ensures your codes stay valid.

Can I export or backup my TOTP accounts?

Many TOTP generators allow exporting secret keys in QR code or text format, which you can save securely offline. This backup is crucial—if you lose access to the tool, these exports let you restore your 2FA setup elsewhere.

Does this TOTP generator work on mobile and desktop browsers?

TOTP generators work in any modern web browser, including smartphone browsers, making them accessible across devices without needing an app. Just ensure you keep the browser tab or window accessible when you need to generate codes for login.

What's the exact time window for which a TOTP code remains valid?

TOTP codes are typically valid for 30 seconds, during which they remain static before rotating to a new code. Services usually accept codes from the previous 30-second window as well, giving you a 60-second window to enter your code.

Can I customize the time interval or digit length for code generation?

Most TOTP standards use a 30-second interval, but some services or custom implementations may support different settings. You can usually choose between 6-digit and 8-digit codes depending on the service's requirements, though 6-digit is the standard default.