Free TOTP / 2FA code generator (local)

Enter a Base32 secret (or generate one) to produce RFC 6238 TOTP codes that refresh every 30 or 60 seconds. Supports SHA1, SHA256, and SHA512 with 6- or 8-digit output. Build an otpauth:// URI and QR for testing apps — your secret never leaves this tab.

For development and account recovery testing only. Never paste production 2FA secrets on shared machines.

Secret (Base32)

Issuer (optional)Account label (optional)

Algorithm

Digits

Period

Current code

------

Refreshes in 6s

otpauth:// URI

otpauth://totp/Example%3Auser%40example.com?secret=JBSWY3DPEHPK3PXP&issuer=Example&algorithm=SHA1&digits=6&period=30

Loading…

How to use this tool

1
Open TOTP generator
Test two-factor codes or verify your app's TOTP settings.
2
Enter or generate a Base32 secret
Paste an existing secret or generate one; set issuer and account for the QR.
3
Copy code or scan QR
Use the live code or otpauth URI in your authenticator app or test harness.

Quick facts

Runs locally?	Yes — HMAC runs in your browser via Web Crypto.
Is anything uploaded?	No. Secrets and codes stay in this tab.
Compatible with Google Authenticator?	Yes — standard Base32 secret, 30s period, SHA1, 6 digits by default.
Generate a new secret?	Use Generate secret, then scan the QR or copy the otpauth URI into your app.

Top use cases

Generate authenticator-style TOTP codes with live countdown, otpauth URI, and QR — local only.
Runs locally?: Yes — HMAC runs in your browser via Web Crypto.
Is anything uploaded?: No. Secrets and codes stay in this tab.
Compatible with Google Authenticator?: Yes — standard Base32 secret, 30s period, SHA1, 6 digits by default.
Generate a new secret?: Use Generate secret, then scan the QR or copy the otpauth URI into your app.

FAQ

Does my secret leave this device?▾

No. TOTP is computed entirely in your browser tab.

Why does my code not match my phone?▾

Check algorithm, digits, period, and that the secret matches exactly (Base32, no spaces). Device clock must be accurate.

What is the sample secret?▾

JBSWY3DPEHPK3PXP is a public test secret — replace it before real use.

Can I use this for login?▾

This tool displays codes for testing. Pair it with your app's TOTP verification on the server.

SHA1 vs SHA256?▾

Most apps default to SHA1. Match the algorithm configured when the secret was enrolled.

What is otpauth://?▾

A standard URI format authenticator apps scan to import issuer, account, secret, and options.