TOTP / OTP Generator

About This Tool

This tool implements TOTP (Time-based One-Time Password) per RFC 6238, built on HOTP (HMAC-based One-Time Password, RFC 4226). It generates the same codes as Google Authenticator, Authy, Microsoft Authenticator, and other standard TOTP apps — given the same Base32 secret key.

The algorithm works by hashing the current time window (floor(unix_time / period)) with the secret using HMAC-SHA-1, then truncating the result to 6 or 8 digits. The code changes every 30 or 60 seconds. All computation happens in your browser — the secret never leaves your device.

How to Use

1. Paste your Base32 secret key from your app or service. Or click Generate Secret to create a new random key.
2. Select the period (30s is standard) and digit count (6 is standard).
3. The current OTP and its remaining time are shown automatically and update every period.
4. Click Copy to copy the OTP to your clipboard.

Use Cases

Developers test TOTP-based 2FA flows during development without needing a physical phone. QA teams verify that their TOTP validation logic accepts the correct codes. Security researchers audit time-based OTP implementations. Developers add TOTP support to their apps and need a quick reference implementation. Server administrators set up TOTP-protected SSH access and verify the secret is correct.

FAQ

• Is my secret key safe? — Yes. All TOTP computation runs entirely in your browser. Nothing is sent to any server.
• Why does my code not match my authenticator app? — The most common cause is clock drift. TOTP depends on accurate system time. Also verify the secret, period, and digit count match exactly.
• What format is the secret key? — Base32 (RFC 4648): characters A–Z and 2–7. Spaces and padding (=) are ignored.
• Can I use this in production? — This tool is for testing and development. For production 2FA, use a validated server-side TOTP library.