PureDevTools

TOTP / 2FA Code Generator

Generate TOTP two-factor authentication codes from a secret key — live countdown, SHA-1/256/512

All processing happens in your browser. No data is sent to any server.

Find this in your authenticator app's QR code URL as the secret parameter.

You’re setting up two-factor authentication for a new service and want to verify your TOTP implementation generates the correct codes — without installing an authenticator app. Or you’re a developer testing TOTP integration and need to quickly generate codes from a known secret key. This tool implements RFC 6238 TOTP entirely in your browser.

How TOTP Works

TOTP (Time-based One-Time Password) is defined in RFC 6238. It generates a one-time code by combining a shared secret key with the current Unix timestamp:

  1. Calculate the time step: T = floor(current_unix_time / period) (default period: 30 seconds)
  2. Compute an HMAC-SHA1 of the 8-byte big-endian encoding of T using the secret key
  3. Extract a 4-byte dynamic truncation of the HMAC result
  4. Compute code = truncated_value mod 10^digits (default: 6 digits)

The shared secret is typically encoded as Base32 (e.g., JBSWY3DPEHPK3PXP). The same secret and timestamp always produce the same code, which is why it can be verified server-side without network communication during verification.

Setting Up TOTP

Most services present a QR code containing a otpauth:// URI: otpauth://totp/Service:user@example.com?secret=BASE32SECRET&issuer=Service&algorithm=SHA1&digits=6&period=30. Scan this with Google Authenticator, Authy, or 1Password. To use this tool, extract the secret value from the URI.

Security Considerations

TOTP codes are only valid for one 30-second window (plus optional clock skew tolerance). The security relies on the secrecy of the shared key — never share your TOTP secret or screenshot it. This tool processes everything in your browser and does not store or transmit your secret key.

Frequently Asked Questions

What is Base32 and how do I recognize a TOTP secret? Base32 uses the alphabet A–Z and 2–7. TOTP secrets look like JBSWY3DPEHPK3PXP — 16 to 32 characters of uppercase letters and digits 2–7, sometimes with spaces or dashes for readability (ignored during computation).

Why does the code change every 30 seconds? The 30-second period is the standard defined in RFC 6238. It balances usability (enough time to type the code) with security (codes expire quickly). Some services use 60-second periods.

Can I use SHA-256 instead of SHA-1? RFC 6238 supports SHA-1, SHA-256, and SHA-512, but almost all real-world implementations use SHA-1 for compatibility with Google Authenticator and other apps. This tool supports all three.

Is my TOTP secret safe in this tool? Yes. The secret never leaves your browser. All HMAC computation uses the Web Crypto API client-side. Do not use this tool on untrusted computers.

Related Tools

Password Generator
Generate cryptographically random passwords and passphrases
HMAC Generator
Generate HMAC-SHA256/384/512 message authentication codes
Hash Generator
Compute MD5, SHA-1, SHA-256, SHA-512 hashes

More Encoding & Crypto Tools

Base64 Encoder / Decoder Base64 Image Encoder URL Encoder / Decoder URL Parser Hash Generator Encoding Detector View all →