What is TOTP Generator?

A free TOTP and HOTP generator for two-factor authentication. Enter your base32 secret key and the tool generates one-time codes — 30-second TOTP codes (RFC 6238) compatible with Google Authenticator, Authy, and most 2FA systems, plus HOTP counter-based codes (RFC 4226) for YubiKey and select banking apps.

Implements RFC 6238 (TOTP) and RFC 4226 (HOTP) entirely on your device — the base32 secret never leaves the page and is wiped when you close the tab. Default settings (SHA-1, 6 digits, 30-second window) match Google Authenticator, Authy, Microsoft Authenticator, 1Password, and most banking apps. SHA-256 and SHA-512 algorithms, 7- or 8-digit codes, and HOTP counter mode are supported for services that require them. An encrypted JSON backup, protected with PBKDF2 + AES-GCM, lets you move every saved account between devices without trusting a sync service.

How to use

1. Enter your TOTP secret key (base32) — found in your app's 2FA setup page under "Manual entry" or "Secret key".
2. Watch the 6-digit code generate and refresh automatically every 30 seconds.
3. Copy the current code and paste it into your login prompt before it expires.

When to use

• Recovering account access when your authenticator phone is lost or wiped.
• Generating a 2FA code on a desktop without installing yet another mobile app.
• Testing 2FA flows during development without exposing a real shared secret.

Result

Your company uses 2FA but you lost your phone. You saved the secret key when setting up. Enter the base32 key here, get your current 6-digit code, and log in while you set up a new authenticator app.

FAQ

Is it safe to enter my 2FA secret on a webpage?

The TOTP code is computed entirely on this page — no requests are made with your secret. That said, for high-value accounts (bank, primary email), use a phone-resident authenticator. This tool shines for recovery, testing, and lower-stakes accounts.

Where do I find the secret key in an app like Google or GitHub?

On the 2FA setup page, look for a link that says 'Can't scan? Enter manually' or similar. You'll get a base32 string of letters A–Z and digits 2–7, usually 16 to 32 characters. Paste that into the Secret Key field here.

Why is my code being rejected even though it just generated?

Most likely a clock skew. TOTP relies on your device clock matching the server's. If you're more than 30 seconds off, codes won't match. Sync your device clock with internet time and try again.

Can I scan a QR code instead of typing the secret?

Yes. Click Import from QR Code and either upload a screenshot or scan a printed QR. The tool reads the otpauth:// URI, extracts the secret, issuer, account name, algorithm, digits, and period, then adds the entry automatically.

How do I move accounts to another device?

Two options. If you still have each original secret, type or scan it into your new authenticator and you're done. If not, use the Backup button: choose a strong password, download the encrypted JSON file, copy it to the new device, then click Import and enter the same password — every account comes back in one step. Without either the original secrets or a backup, the service must reset 2FA from scratch.

Related Tools