All tools
Security tools

2FA / TOTP Code Generator

Generate RFC 6238 TOTP codes from a Base32 secret key — exactly like Google Authenticator or Authy. Shows current, previous and next codes with live countdown.

RFC 6238 HMAC-SHA1 6 or 8 digits 30 or 60s period Live countdown
Get started free Sign in

Free · No credit card · 50 credits/day

How TOTP works

Four steps — all computed locally with no server round-trip needed.

1
Decode the secret

The Base32 secret key from the QR code setup is decoded into raw bytes — the shared secret between your app and the server.

2
Compute the counter

Divide the current Unix timestamp by the period (30s): counter = floor(time() / 30). Both your device and the server compute the same counter independently.

3
HMAC-SHA1

Run HMAC-SHA1 with the secret as the key and the 8-byte big-endian counter as the message. The result is a 20-byte hash.

4
Truncate to N digits

Use dynamic truncation on the hash to extract 4 bytes, interpret as an integer, take modulo 10^digits. Pad to 6 (or 8) digits with leading zeros.

// Step 2
counter = floor(time() / 30)
// Step 3
hash = HMAC-SHA1(secret, pack("N*", 0) + pack("N*", counter))
// Step 4
offset = hash[19] & 0x0F
code = ((hash[offset] & 0x7F) << 24 | ...) % 10^6

Developer use cases

🧪
Test 2FA integration

When building a TOTP-based 2FA system, paste the test secret here to verify your implementation produces the same codes as the standard algorithm.

🔧
Debug clock drift

TOTP failures are often caused by server clock drift. Use this tool alongside your app to confirm whether codes match — if they do here but not in your app, the problem is server time sync.

🤖
Automated testing

E2E tests for 2FA login flows need a live TOTP code. This tool lets you quickly grab a current code during manual test runs.

📱
Verify QR code content

Scan a QR code, extract the secret from the otpauth:// URI, and verify it generates valid codes before presenting to users during 2FA enrollment.

Testing only. Never paste real production TOTP secrets — your real bank, email or work 2FA secrets — into any online tool. This tool is for development and testing with test accounts only.

Frequently asked questions

What is TOTP?

TOTP (Time-based One-Time Password) is a standard algorithm (RFC 6238) used by authenticator apps like Google Authenticator, Authy and Microsoft Authenticator. It generates a short numeric code that changes every 30 seconds by combining a shared secret key with the current timestamp using HMAC-SHA1.

What is a Base32 secret key?

When you enable 2FA on a service, they give you a secret key encoded in Base32 (characters A-Z and 2-7). You can usually see this by clicking "Can't scan QR code?" during setup. It looks like: JBSWY3DPEHPK3PXP.

Is it safe to enter a TOTP secret here?

Only use this tool with test accounts or non-production secrets. Never paste a real production 2FA secret into any online tool. This tool is intended for developers testing TOTP integration.

Why does my code not match the authenticator app?

TOTP codes depend on the server clock. If the time generating the code is more than 30 seconds off from the server validating it, codes will not match. Ensure your server has NTP enabled and is synced to a reliable time source.

Generate a TOTP code now

Free account. 50 credits per day. Access to 75+ tools instantly.

Create free account →