TOTP Generator (2FA Codes)
Turn a base32 TOTP secret into the live six-digit code an authenticator app would show. It is handy for testing a two-factor login when you do not want to reach for your phone, and for confirming a server is generating the right codes.
How to generate a TOTP code
- Paste the base32 secret from your 2FA setup screen (the string behind the QR code).
- Leave the defaults (SHA-1, 6 digits, 30 seconds) unless your provider specifies otherwise.
- Read the current code and the seconds left before it rotates, then copy it.
Examples
RFC 6238 reference seed
secret "GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ", time 59s, 8 digits
94287082
Frequently asked questions
How does TOTP work?
TOTP combines a shared secret with the current time, divided into 30-second steps. It runs HMAC over that time counter and truncates the result to a short code, so both your app and the server compute the same number without ever sending the secret.
Why is my code rejected even though it looks right?
Usually clock drift. TOTP depends on accurate time, so if your device clock is off by more than a step the code will not match. Most servers accept the previous and next step to allow a little drift.
What settings do most apps use?
Google Authenticator and similar apps default to SHA-1, 6 digits and a 30-second period. Some providers use 8 digits or a different algorithm, which you can set here.
Is it safe to paste my real 2FA secret here?
The code is computed entirely in your browser and nothing is uploaded. Even so, treat this as a testing tool. For a real account, your phone authenticator is the safer place to keep the secret.
What is the difference between TOTP and HOTP?
HOTP increments a counter each time you use it, while TOTP uses the current time as the counter. TOTP is what almost all modern authenticator apps use.
Related tools
HMAC Generator
Generate an HMAC for a message and secret key with SHA-1, SHA-256, SHA-384 or SHA-512. Verify webhook and API signatures, with hex or base64 output.
JWT Generator
Create a signed HS256 JSON Web Token from a JSON payload and secret. Signs in your browser, nothing is sent to a server. Great for testing.
Hash Generator
Generate SHA-1, SHA-256, SHA-384 and SHA-512 hashes from any text. Live, lowercase hex output that runs entirely in your browser.
AES Encryption
Encrypt and decrypt text with AES-GCM and a password. Uses 256-bit keys derived with PBKDF2, runs entirely in your browser, and nothing is uploaded.
CSP Analyzer
Paste a Content-Security-Policy header and get it parsed into directives and audited for weaknesses, with severity and fixes. Runs in your browser.
CVSS Calculator
Calculate a CVSS v3.1 base score and severity from the eight base metrics. Build the vector string and see how each choice moves the score, in your browser.