How does TOTP actually compute the code?

TOTP takes your shared Base32 secret and the current time. It floors Unix time by the period, so at 12:00:30 with a 30-second period the counter is the timestamp divided by 30 rounded down, then runs HMAC-SHA1 over that 8-byte counter keyed by the secret, and dynamic-truncates the result to 6 digits. Example: secret GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ at Unix time 59 yields 94287082. Same secret plus same minute on any device gives the same code.

Is this the same code Google Authenticator shows?

Yes, when the parameters match. Google Authenticator, Authy and Microsoft Authenticator default to RFC 6238 TOTP with HMAC-SHA1, a 30-second period and 6 digits, which is exactly this tool's default. Paste the Base32 secret a site gave you with its QR code and the live code here should tick in lockstep with your phone. If it differs, the site likely uses 8 digits, SHA-256, or a different period, all of which you can switch here to match.

Why does the code change every 30 seconds?

The time counter is Unix time divided by the period (30 seconds by default) and floored, so it only increments when a new window starts. Every device in the world agrees on the same counter value for the same wall-clock window, which is how your phone and the server land on the same code without ever talking to each other. The progress bar here shows the seconds left; the moment it empties, the code rolls to the next value shown alongside.

Is it safe to paste my secret here?

The computation is local, your secret never leaves the browser tab and is never put in the URL or logged. That said, do not paste a secret that protects a real production account into any web page, including this one, because a secret typed into a browser can be exposed by extensions or shoulder-surfing. Use this tool with a throwaway test secret, or for recovery on a machine you trust. Keep live 2FA secrets on a dedicated authenticator app or hardware key.

Where does the Base32 secret come from?

When you enable two-factor auth, the site generates a random secret and shows it as a QR code plus a string of A-Z and 2-7 characters, that string is the Base32 secret. The QR code is just an otpauth URI wrapping the same secret along with the issuer, digits and period. Scan it with your phone or paste the plain Base32 string here. A typical secret is 16 or 32 Base32 characters, for example JBSWY3DPEHPK3PXP.

What if I get an invalid Base32 error?

Base32 uses only the letters A to Z and the digits 2 to 7, plus optional = padding, and is case-insensitive. Spaces are fine and get stripped. You will see an error if the secret contains 0, 1, 8 or 9, or letters like O and I that look like digits, since those are not in the Base32 alphabet, people often mistype O for 0. Copy the secret straight from the setup screen rather than retyping it, and remove any stray punctuation.

Verify a freshly scanned secret before you trust it

You just enabled 2FA on a site and it showed both a QR code and a Base32 string. Before you click "I have saved my codes", paste that string here and check the live 6-digit code matches what your authenticator app shows in the same second. If they tick together, you know the secret transferred correctly and you will not lock yourself out at the next login.

Log in when your phone is dead or lost

Your authenticator lives on a phone with no battery, but you saved the Base32 backup secret in your password manager. Paste it here on a computer you trust and read off the current code to get into the account, then immediately reset 2FA to a working device. It is the recovery path the QR code was always capable of, just without the phone in hand.

Debug a 2FA integration that keeps rejecting codes

You are wiring TOTP into a backend and the server rejects every code your test phone produces. Paste the shared secret here, set digits and algorithm to match your library config, and compare the code, the counter and the seconds remaining against what your code computes. Mismatches almost always trace to clock skew, a wrong period, or a secret decoded as the wrong encoding.

Teach how time-based one-time passwords work

Explaining 2FA in a security class or onboarding doc lands better with a live demo. Put a fixed test secret on screen, show the code regenerating every 30 seconds, switch digits from 6 to 8, and flip the algorithm to SHA-256 so learners see the parameters change the output. The countdown bar makes the time-window concept concrete.

TOTP Generator: Live 2FA Codes from a Base32 Secret

Base32 secret in, live 6-digit code out, 30s countdown and next code, SHA1/256/512, 100% in-browser, RFC 6238

Runs locally
Category Developer & DevOps
Best for Formatting, validating, shrinking, or inspecting code-adjacent text.

Base32 secret

Local only — your secret never leaves this tab and is never put in the URL. Still, do not paste a real production secret; use a test one.

Digits

Period (s)

Algorithm

Match these to your issuer (otpauth URI behind the QR code) or the code will be wrong.

Current code

------

13 s leftNext code: ------

What this tool does

Free online TOTP generator. Paste a Base32 secret (the same kind a site shows next to its QR code when you set up two-factor auth) and this tool computes the live 6-digit time-based one-time password, the seconds left in the current 30-second window, and the code that comes next. It is the exact algorithm Google Authenticator, Authy and 1Password run, RFC 6238 with HMAC-SHA1 over the floored Unix time counter, computed locally through the native WebCrypto `crypto.subtle` API. Nothing is uploaded, nothing is logged, and the secret is never written into the shareable URL. Use it to confirm a freshly scanned secret produces the same code your phone shows before you trust it, to log in when your phone is flat, or to debug a 2FA integration where codes keep getting rejected. Algorithm, digit count and period are all adjustable, so you can match an 8-digit or SHA-256 setup as well as the default 6-digit SHA-1 one. Keep production secrets on a dedicated device, this page is for testing and recovery, not for storing live keys.

Tool details

Input: Numbers; The page exposes text boxes, numeric controls, file pickers, or structured inputs depending on the tool.
Output: Live result + Copy; The result area focuses on usable output, with copy, download, or preview actions when supported.
Privacy: Browser-side processing; The main tool logic does not call an external API, so inputs normally stay in the current tab.
Save / share: Shareable URL state; Key settings are encoded in the URL so another person can reopen the same setup.
Performance budget: Initial JS <= 9 KB; No WASM budget is declared, keeping the tool quick to open on mobile.
Best fit: Developer & DevOps · Developer; Category and role tags drive related tools, internal links, and quick fit checks.

How to use

1. Input

Paste or drop your content into the tool panel.
2. Process

Click the button. All processing is local in your browser.
3. Copy / Download

Copy the result or download to disk in one click.

How TOTP Generator fits into your work

Use it in the small gaps between coding, reviewing, debugging, and shipping.

Developer jobs

Formatting, validating, shrinking, or inspecting code-adjacent text.
Preparing snippets for documentation, tickets, commits, or handoff.
Checking a small payload quickly without switching tools.

Developer checks

Run irreversible transforms like minify or obfuscate on a copy.
Keep secrets out of pasted snippets unless the tool explicitly stays local.
Use your normal tests or linter before shipping transformed code.

Good next steps

These links move the current task into a more complete workflow.

Real-world use cases

Verify a freshly scanned secret before you trust it
You just enabled 2FA on a site and it showed both a QR code and a Base32 string. Before you click "I have saved my codes", paste that string here and check the live 6-digit code matches what your authenticator app shows in the same second. If they tick together, you know the secret transferred correctly and you will not lock yourself out at the next login.
Log in when your phone is dead or lost
Your authenticator lives on a phone with no battery, but you saved the Base32 backup secret in your password manager. Paste it here on a computer you trust and read off the current code to get into the account, then immediately reset 2FA to a working device. It is the recovery path the QR code was always capable of, just without the phone in hand.
Debug a 2FA integration that keeps rejecting codes
You are wiring TOTP into a backend and the server rejects every code your test phone produces. Paste the shared secret here, set digits and algorithm to match your library config, and compare the code, the counter and the seconds remaining against what your code computes. Mismatches almost always trace to clock skew, a wrong period, or a secret decoded as the wrong encoding.
Teach how time-based one-time passwords work
Explaining 2FA in a security class or onboarding doc lands better with a live demo. Put a fixed test secret on screen, show the code regenerating every 30 seconds, switch digits from 6 to 8, and flip the algorithm to SHA-256 so learners see the parameters change the output. The countdown bar makes the time-window concept concrete.

Common pitfalls

Retyping the secret by hand and turning O into 0 or I into 1. Base32 has no 0, 1, 8 or 9, so a typo produces either an invalid-Base32 error or, worse, a valid-but-wrong secret that yields codes your phone never agrees with. Copy the string straight from the setup screen.
Leaving digits at 6 and algorithm at SHA-1 when the site actually uses 8 digits or SHA-256. The parameters must match the issuer exactly or the code will be wrong even with the right secret. Check the otpauth URI behind the QR code for the digits, period and algorithm fields.
Pasting a real production secret into a web page. Even a local-only tool runs inside a browser that extensions and onlookers can observe. Use a throwaway test secret here and keep live 2FA secrets in a dedicated authenticator app or hardware key.

Privacy

Every step runs in your browser tab: the Base32 decode, the HMAC-SHA1 over the time counter through the native WebCrypto API, the truncation to digits, and the countdown. The secret and the generated code never leave the page, are never uploaded, and are never logged. The secret is deliberately kept out of the shareable URL, only the non-sensitive digits, period and algorithm options round-trip in the link, so a shared URL can never leak your key. Even so, treat any browser as untrusted for live secrets: use a throwaway test secret here and keep production 2FA keys on a dedicated authenticator.

FAQ

Tool combos

Folks in your role tend to reach for these alongside this tool.

Developer

Browse all tools for this role

TOTP Generator: Live 2FA Codes from a Base32 Secret

What this tool does

Tool details

How to use

1. Input

2. Process

3. Copy / Download

How TOTP Generator fits into your work

Developer jobs

Developer checks

Good next steps

Real-world use cases

Verify a freshly scanned secret before you trust it

Log in when your phone is dead or lost

Debug a 2FA integration that keeps rejecting codes

Teach how time-based one-time passwords work

Common pitfalls

Privacy

FAQ

HMAC Generator

JWT Decoder

Bcrypt Generator

Password Generator

AI Eval Planner

Apache Cheatsheet

API Key Generator

API Rate Limit Cheatsheet

ASCII Table Generator

ASCII Table Reference

awk + sed Cheatsheet

AWS CLI Cheatsheet