Generate time-based one-time passwords for 2FA testing. Nothing leaves your browser.
TOTP (Time-based One-Time Password) uses a shared secret and the current time to generate a code that changes every 30 seconds. The algorithm takes the secret key, combines it with a time counter (current Unix time divided by the period), and runs it through HMAC-SHA1 to produce a 6 or 8-digit code.
This is the same algorithm behind Google Authenticator, Authy, 1Password, and Microsoft Authenticator. The secret key is typically shared as a Base32-encoded string or QR code during 2FA setup. Both the server and your authenticator app independently generate the same code from the same secret and time — no network request needed.
This tool is useful for developers testing 2FA integrations, verifying that a secret key produces the expected codes, or debugging authentication flows. Enter any Base32 secret to see live rotating codes. Everything runs in your browser using the Web Crypto API — your secret never leaves your device.
This tool in other languages:
Français:
Générateur TOTP / Code 2FA
Español:
Generador TOTP / Código 2FA
Deutsch:
TOTP-Generator / 2FA-Code
Português:
Gerador TOTP / Código 2FA
日本語:
TOTP生成ツール(二要素認証)
中文:
TOTP 生成器(双因素认证)
한국어:
TOTP 생성기 (2단계 인증)
العربية:
مولد TOTP — رمز المصادقة الثنائية
Paste your Base32 secret key into the input. The tool generates the current 6-digit (or 8-digit) TOTP code and updates every 30 seconds (or 60, depending on your setting). Matches what Google Authenticator, Authy, 1Password, and hardware tokens produce.
TOTP (Time-based One-Time Password, RFC 6238) derives a 6-digit code from a shared secret and the current time. The secret is stored on both the server and your authenticator app. Every 30 seconds, both sides compute the same code from the same time and secret — no network needed.
Primarily for development and testing: debugging a 2FA flow, verifying TOTP implementation in your backend, or recovering when you don't have your phone. For daily use, a proper authenticator app (or 1Password/Bitwarden) is safer — this tool holds the secret only in browser memory.
Generation is 100% client-side — the secret never leaves your device. That said, anyone with your TOTP secret can generate codes for your account forever. Don't paste production 2FA secrets here unless you have a specific testing reason; use test accounts or development credentials.
Base32 (uppercase A-Z and 2-7, no padding). Most services show this when you set up 2FA alongside the QR code. If you only have a QR code, scan it with a decoder to extract the otpauth:// URL — the secret is in the secret= parameter.