TOTP Code Generator

Generate time based one time passwords (TOTP) from a secret key, the same codes your authenticator app shows.

About the TOTP Code Generator

TOTP (time based one time password) is the algorithm behind the six digit codes in Google Authenticator, Authy, and every other two factor app. This tool implements the same standard (RFC 6238) in your browser: paste a base32 secret and it shows the current code, a live countdown to the next one, and the codes immediately before and after for clock drift debugging.

It exists for development and debugging: testing a 2FA implementation you are building, verifying that a stored secret still generates the right codes, or checking whether a rejected code is a clock synchronization problem (if the “previous” code is what your server expected, its clock is behind).

The math is HMAC-SHA1 over a counter derived from the current time, truncated to six digits, changing every 30 seconds. Everything happens locally with the Web Crypto API. Secrets are never transmitted, stored, or logged, but treat real production secrets with care anywhere outside your authenticator.

Your ad could be here

Reach developers and designers who use these tools every day. Privacy-first, no trackers.

Frequently asked questions

Is it safe to paste a real 2FA secret here?

The computation is fully local and nothing is transmitted. That said, a 2FA secret grants the ability to generate codes forever, so the careful habit is to use this tool with test secrets, and only use real ones when you are debugging something specific.

Why does my code not match the server?

Almost always clock drift. TOTP depends on both sides agreeing what time it is. If the previous or next code shown here is what the server accepted, one of the clocks is off by 30 to 60 seconds. Servers typically accept one code on either side to tolerate this.

Where do I find the base32 secret?

When a service sets up 2FA it shows a QR code and usually a "can't scan?" option that reveals the secret as text, something like JBSWY3DPEHPK3PXP. That string is what authenticator apps store and what this tool needs.

Why SHA-1? Is that not broken?

The TOTP standard specifies HMAC-SHA1, and the known SHA-1 weaknesses do not apply to HMAC usage. Some services support SHA-256 variants, but six digit, 30 second, SHA-1 codes remain the universal default.

Generators

UUID & Token Generator

Generate v4 UUIDs in bulk and secure random tokens with custom length and character sets.

Generators

Cron Generator

Build cron expressions from presets, see them explained in plain English, and preview the next run times.

Generators

Lorem Ipsum Generator

Generate placeholder text by the paragraph, sentence, or word, ready to paste into any design or layout.

Generators

Password Strength Analyzer

Check how strong a password really is: entropy, character variety, and estimated time to crack.

Generators

QR Code Generator

Generate a QR code from text or a URL, entirely in your browser, and download it.

Data & Format

JSON Formatter & Validator

Format, validate, and minify JSON with clear error messages and line numbers.