Time-based One-Time Passwords (TOTP) are the foundation of two-factor authentication (2FA) used by Google Authenticator, Authy, Microsoft Authenticator, and countless applications. TOTP generates a 6-8 digit code that changes every 30 seconds based on a shared secret key and the current time. This tool generates TOTP codes, verifies existing codes, and helps developers test their 2FA implementations.
Most services use 30 seconds. Some banks use 60 seconds.
--- ---Use this URI with the QR Code Generator tool to create a scannable QR code for authenticator apps.
Base32 uses characters A-Z and 2-7 (32 values total). Padding character: =
Enter a Base32-encoded secret key (the key you would normally scan as a QR code in an authenticator app) and the tool generates the current 6-digit TOTP code with a real-time countdown showing when it expires. The tool uses the standard SHA-1 algorithm with 30-second time steps. The verification mode lets you paste a code to check if it is valid for the current or adjacent time windows. You can also generate a new random secret key and copy the otpauth:// URI for provisioning in authenticator apps.
TOTP generation is essential for developers implementing two-factor authentication in their applications, testing 2FA login flows during development without needing a physical phone, verifying that TOTP server-side validation logic handles time drift and adjacent windows correctly, generating backup codes when an authenticator app is unavailable, debugging TOTP failures caused by clock skew between client and server, demonstrating 2FA concepts in security training and workshops, and migrating TOTP secrets between authenticator applications.
TOTP is defined in RFC 6238 and builds on HOTP (RFC 4226). The algorithm computes HMAC-SHA1 over the secret key and a time-based counter: counter = floor(current_unix_time / time_step). The HMAC output is dynamically truncated to extract a 4-byte integer, which is then reduced modulo 10^6 to produce the final 6-digit code. The tool uses SHA-1 with 30-second time steps, which is the standard configuration compatible with Google Authenticator and most 2FA implementations. HMAC computation uses the Web Crypto API.
TOTP (Time-based One-Time Password) generates short-lived numeric codes from a shared secret and the current time. Both the server and your authenticator app know the secret. They independently compute HMAC over the secret and current time step (usually 30 seconds), then truncate the result to a 6-digit code. Since both sides use the same algorithm and inputs, they generate matching codes.
This tool runs entirely in your browser - no data is sent to any server. However, treat TOTP secrets like passwords. For production accounts, use a dedicated authenticator app. This tool is ideal for development testing, generating demo keys, and debugging 2FA implementations.
TOTP codes are time-sensitive. Common causes of mismatches include clock skew (your device's time differs from the server by more than 30 seconds), incorrect secret key encoding (ensure it is Base32), wrong algorithm (SHA-1 vs SHA-256), or wrong time step interval. Most servers accept codes from adjacent time windows to account for minor clock drift.
Generate random UUID v4 identifiers for databases, sessions, and tracking.
Generate dummy corrupted files for testing. Correct file headers with random data for upload validation testing.
Flip coins and roll dice with true randomness. Visual animations, statistics, and multi-dice support.
Transform, format, generate, and encode data instantly. Private, fast, and always free.
Browse All Tools