TOTP and 2FA codes, explained
What the rotating six-digit codes are, how authenticator apps produce them, what the secret key and otpauth URI mean, and how to generate a code yourself.
Open the TOTP Generator →What this tool does
The TOTP Generator takes a 2FA secret key (or a full
otpauth:// URI) and shows the current time-based one-time password, with a
countdown to the next one — exactly the code an app like Google Authenticator or Authy
would display. It's handy for testing a 2FA integration, or as a quick backup when your
phone isn't to hand. The secret is processed only in your browser.
What is two-factor authentication?
Two-factor authentication (2FA) asks for something in addition to your password — usually a short code — so a stolen password alone isn't enough to sign in. The most common method is TOTP: a six-digit number that changes every 30 seconds.
How TOTP works
When you enable 2FA, the service generates a random secret key and shows it as a QR code (and as Base32 text). Your authenticator stores that secret. To produce a code, both the service and your app do the same thing (the RFC 6238 standard):
- Take the current time and divide it into 30-second steps.
- Compute an HMAC of the step number using the shared secret.
- Truncate that HMAC down to six digits.
Because both sides share the secret and a roughly synced clock, they compute the same number — without the code ever travelling over the network. That's also why an accurate device clock matters.
The secret key and otpauth URI
The secret is a Base32 string (letters A–Z and digits 2–7), often shown
under the QR code as a “setup key” or “manual entry” code. The QR code itself encodes an
otpauth://totp/... URI that bundles the secret with its settings — algorithm,
number of digits and period. Paste either into the tool; an otpauth URI fills in the options
for you.
How to use it
- Paste your Base32 secret (or otpauth URI) into the secret field.
- If the service uses non-default settings, set the algorithm, digits and period to match.
- Read the current code and copy it before the countdown runs out.
If your code is rejected
- Clock drift — the most common cause. TOTP needs accurate time; sync your device clock.
- Wrong settings — some services use SHA-256, 8 digits, or a 60-second period. Match them.
- Mistyped secret — re-copy it; Base32 has no 0, 1, or 8.
A note on security
Anyone with your TOTP secret can generate your codes, so treat it like a password — the strength of your password and the secrecy of this key are what keep the account safe. This tool keeps everything local, but for day-to-day logins a dedicated authenticator app on your phone is the right place to store secrets.
Your data stays private
Codes are generated locally with the Web Crypto API. Your secret is never uploaded or stored.
FAQ
How does a TOTP code work?
Your account and authenticator share a secret; both HMAC it with the current 30-second time step and truncate to a short code, so they match without sending it anywhere.
Why does the code change every 30 seconds?
The time-step number is part of the calculation, so each new window produces a new code and old ones expire quickly.
My generated code is rejected — why?
Usually a wrong device clock, a mistyped secret, or non-default settings (SHA-256, 8 digits). Check all three.
Ready to try it? Open the TOTP Generator →