Skip to content
TypeParser
All tools

TOTP Generator

Generate TOTP codes (RFC 6238).

beats totp.danhersam.com edge: Live 30s rotation + URI parser
options
enter secret
next code:
Guide

About TOTP Generator

Generate TOTP (time-based one-time password) codes from any base32 secret. The code refreshes every 30 seconds, in lockstep with what Google Authenticator, Authy, or 1Password would produce. Paste an <code>otpauth://</code> URI to extract the secret, or paste the base32 directly.

How TOTP actually works

A TOTP code is HMAC-SHA-1(secret, current_30s_interval) truncated to 6 decimal digits. Every 30 seconds, both your authenticator and the server compute the same value independently. Match → authenticated.

The clock-based design eliminates the need for a counter sync between client and server (the issue HOTP had) but introduces a new requirement: clocks must agree within a few seconds. Most servers accept a code from the previous and next interval to handle drift.

What this tool gives you

  • Live code panel — refreshes every 30s with a countdown
  • otpauth URI parser — paste the QR-encoded URI, secret extracts
  • Multi-account view — store several secrets locally during a session
  • Algorithm options — SHA-1 (default per RFC 6238), SHA-256, SHA-512

Common workflows

Develop against a 2FA service. Generate the secret, set up your test account, plug the secret into this tool. Codes appear without an authenticator app on your phone.

Recover after losing your phone. If you saved the seed (you should), paste it here as a temporary authenticator until you provision a new device.

Audit a 2FA implementation. Compare codes from this tool against what your server-side library produces. Mismatch flags a bug.

Quick sanity check. Verify a service’s 2FA enrollment QR encodes a valid otpauth:// URI by pasting the QR-decoded URI here.

Why a browser-side TOTP

Your TOTP secret is high-value — anyone with it can generate codes for the rest of time, until the secret rotates. Pasting it into a remote tool is risky. Local computation, no logs, no transmission, no persistence — the same mathematical answer your phone app would produce, computed in your browser.

Frequently asked questions

When would I use this?
Testing a 2FA integration during development. Pasting the seed from a service that gave you only a backup code. Recovering access in a context where you cannot install an authenticator app.
Is the secret stored?
No. The secret stays in the textarea — refresh and it is gone. We never log, persist, or transmit. For long-term storage, use a password manager.
What is the otpauth URI?
otpauth://totp/Issuer:user?secret=BASE32&issuer=Issuer. QR codes for 2FA enrollment encode this URI. Paste the URI to auto-extract the secret without manual transcription.
Why is my code wrong?
99% of the time it is clock skew. TOTP is time-based — your device clock must agree with the server's clock within ~30 seconds. Sync your system clock and try again.
TOTP vs HOTP?
HOTP (RFC 4226) advances on each use (counter-based). TOTP (RFC 6238) advances on time. TOTP is what most modern 2FA uses because it doesn't require server-client counter sync.
Can I generate this offline forever?
Yes — the algorithm is deterministic. As long as your clock is correct, codes match the server's expected values without any network call.

Related tools

Last updated: 2025-01-15