ToolJutsu
All tools
Developer Tools

TOTP Generator

Generate RFC 6238 time-based one-time passwords with a live counter.

Digits
Period
Current code

——————

Refreshes in 30 s

Next code (preview)

——————

Becomes valid when the counter rolls over.

Provisioning QR — scan in Google Authenticator, Authy, 1Password, …
256 px
Error correction
otpauth:// URL
otpauth://totp/ToolJutsu:user%40example.com?secret=Q65AMRQ2ASNUBTOIYDTS4S7RBYJ6BCRS&issuer=ToolJutsu&algorithm=SHA1&digits=6&period=30
Processed on your device. We never see your files.

How to use TOTP Generator

What is TOTP?

TOTP — Time-based One-Time Password — is the algorithm behind the six-digit codes that change every 30 seconds in Google Authenticator, Authy, 1Password, Bitwarden and every other authenticator app. It is defined by RFC 6238, published in 2011, as a time-based extension of the earlier HOTP standard (RFC 4226, 2005). The two specifications together are the foundation of practically every “second factor” login on the modern web that doesn’t use a hardware key.

How TOTP works

The setup is simple. A server and a user’s authenticator app share a secret — typically 160 random bits, Base32-encoded for human handling during the QR-code provisioning step. After that, both sides:

  1. Take the current Unix timestamp in seconds.
  2. Divide by the time-step (almost always 30 seconds) — the result is the counter.
  3. Compute HMAC-SHA-1(secret, counter) — a 20-byte hash.
  4. Look at the last 4 bits of the hash to find an offset; pull four bytes from the hash starting at that offset.
  5. Mask off the top bit, modulo by 10^digits (usually 10^6), pad left with zeros, and display.

Because the shared secret never moves and the counter advances identically on both sides, the user and the server compute the same six-digit code from the same shared input. The clock is the synchronisation mechanism; the HMAC is the cryptography.

Common use cases

  • Two-factor authentication on web services, password managers, cloud-provider consoles, GitHub, AWS, and so on. After you scan the QR code, the service stores the shared secret and rejects logins that don’t supply a current TOTP code.
  • Local development of an auth system. Use this tool to verify that the codes your server computes match what an authenticator app shows, before you go live.
  • Auditing existing 2FA setups. Paste your stored Base32 secret into the secret field; the codes here will match what your app shows. Useful when troubleshooting a phone replacement or migrating from one authenticator to another.
  • Provisioning seeds for new users. The QR code on this page is in the exact otpauth:// format every authenticator scans. Generate a fresh secret per user and present the QR; never reuse secrets.

How to use this TOTP generator

  1. The page starts with a freshly random 160-bit Base32 secret loaded in the Shared secret field. Click Generate new 160-bit secret at any time to rotate it. You can also paste an existing Base32 secret — the tool decodes any standard Base32 (with or without padding, with or without whitespace).
  2. Edit the Issuer and Account fields. They appear in the provisioning QR code and become the label your authenticator app shows (for example “ToolJutsu — user@example.com”).
  3. Optional: change Digits to 8 or Period to 60 seconds. Both are supported by most modern apps but check yours before rolling them out to users. The hash algorithm can be raised to SHA-256 or SHA-512 with the same caveat.
  4. Scan the QR code with your authenticator app. The code it shows should match the Current code on this page, refreshing in sync every period.
  5. Copy the otpauth:// URL if you want to send it elsewhere instead of (or alongside) the QR code — for example, into a 1Password secure note.

Security considerations

The shared secret is the entire security model — anyone with it can generate the same codes you do. Treat it like a password. In particular:

  • Don’t share the QR code in a screenshot, chat or email.
  • Don’t paste an existing production secret into a tool you don’t trust. (This tool runs locally — verify the network panel to be sure — but make that decision deliberately.)
  • Rotate the secret if you suspect exposure.
  • For high-stakes accounts (root cloud admins, code-signing keys) prefer a hardware key over TOTP. WebAuthn / FIDO2 keys make phishing the second factor impossible in a way TOTP cannot.

Privacy

Every part of the generator runs in your browser tab. The secret is generated locally with the Web Crypto CSPRNG. The HMAC is computed by crypto.subtle, also local. The QR code is rendered by the qrcode library against a <canvas> on this page. There is no upload, no server-side state, and no analytics on the values you enter. After loading the page, the only network request you’ll see is the cached JavaScript bundle — and even that survives offline.

Compatibility notes

The output is bit-for-bit standard RFC 6238 with the otpauth://totp/... provisioning URL accepted by every authenticator app in active maintenance. The tool requires crypto.subtle.importKey

  • crypto.subtle.sign (HMAC) and crypto.getRandomValues — all present in every browser released since 2018 (Chrome 70+, Firefox 60+, Safari 14+, Edge 79+).

Frequently asked questions

Will Google Authenticator actually accept the codes this tool produces?
Yes. The tool follows RFC 6238 exactly — HMAC-SHA-1 over an 8-byte counter that increments every 30 seconds, dynamic truncation per RFC 4226 §5.3, and the standard otpauth://totp/… provisioning URL format. Scan the QR code in Google Authenticator, Authy, 1Password, Bitwarden, Microsoft Authenticator or any other RFC 6238 client and the codes the app shows will match the ones this page generates. The default options (6 digits, 30-second period, SHA-1) are the ones every authenticator supports; the SHA-256 / SHA-512 / 8-digit options are also supported by most modern apps but check yours first.
How is this different from the OTP Generator?
The plain OTP Generator produces a single random numeric code — useful for verification flows where you email or text a one-time number to a user and store it for later comparison. TOTP is different in two important ways: codes change automatically every 30 seconds based on the clock, and they are derived from a shared secret the server and the user's app both know. There is no per-request storage on the server side beyond the shared secret. TOTP is what powers the six-digit codes in your authenticator app; plain OTP is what powers the SMS code your bank sends you.
What if my server clock is off by a few seconds?
RFC 6238 §5.2 recommends accepting codes from the current step and the step immediately before and after — three steps in total, covering ±30 seconds of clock skew with a 30-second period. The codes the tool shows under "Current code" and "Next code" are exactly those windows. If you run your own validation, accept any of [T-1, T, T+1] and your users will not notice short-term clock drift on either end.
Why is the default algorithm SHA-1? Isn't SHA-1 considered broken?
SHA-1 is broken for collision attacks — which is what matters in code-signing, certificate-signing and similar applications. It is not broken for HMAC use, which is what TOTP relies on. RFC 6238 specifies SHA-1 as the default, and every authenticator app on earth supports it. The SHA-256 and SHA-512 options are also part of RFC 6238 and supported by most modern apps, but check your specific app first — some older ones only handle SHA-1. For new applications the safe pick is the default.
Is the shared secret transmitted anywhere?
No. The secret is generated by your browser's Web Crypto CSPRNG, the HMAC is computed by crypto.subtle on your CPU, and the QR code is rendered locally by the qrcode library. There is no server request at any point — you can verify in the browser's Network tab, or simply turn off Wi-Fi after loading the page; the tool keeps working. Treat the QR code as you would any password: don't screenshot and share it, and rotate it if you suspect exposure.

Related tools

OTP Generator

Generate cryptographically random one-time numeric codes (4/6/8 digits).

QR Code Generator

Generate scannable QR codes for text, links, and phone numbers.

Random Token Generator

Generate secure random tokens — alphanumeric, hex, base64url or URL-safe.

HMAC Generator

Generate HMAC signatures with the Web Crypto API.

Password Generator

Generate strong, configurable passwords.

JWT Decoder

Decode and inspect JSON Web Token headers and payloads.