TOTP tool

Security tools

Generate 6-digit rolling TOTP codes and otpauth URIs from Base32 secrets.

Updated May 30, 2026

TOTP setup

Current code

------

Refresh in 30s

otpauth URI

otpauth://totp/EpitomeTool:user%40example.com?secret=JBSWY3DPEHPK3PXP&issuer=EpitomeTool&algorithm=SHA1&digits=6&period=30

Quick start

How to generate TOTP

Generate secret, view 6-digit rolling code and copy otpauth URI.

Step 1

Set issuer/account

Enter label metadata used in authenticator apps.
Step 2

Generate secret

Create a random base32 shared secret.
Step 3

Use code/URI

Use current code or otpauth URI for app enrollment.

In-depth guide

TOTP codes explained: how authenticator apps generate 6-digit numbers

Time-based One-Time Passwords (TOTP, RFC 6238) are the rotating 6-digit codes that authenticator apps such as Google Authenticator and Authy display for two-factor login. This tool generates a secret, builds the otpauth:// URI you can scan, and shows the current code — all in your browser — so you can test a 2FA flow end to end.

How TOTP works

TOTP combines a shared secret with the current time. The clock is divided into 30-second steps; the step number is fed through HMAC-SHA1 with the secret and truncated to a 6-digit code. Because both the server and your app know the secret and agree on the time, they compute the same code independently — nothing is ever sent over the network to generate it.

How to use this tool

Generate or paste a Base32 secret.
Scan the otpauth:// URI (or QR) into your authenticator app, or import the secret directly.
Compare the code your app shows with the one here — they should match and roll over together every 30 seconds.

Clock drift and validation windows

If a device clock is off by more than a step, codes will not match. That is why most servers accept the previous and next step as well, giving a small tolerance window. If your generated code never matches a real service, check that the device time is set to update automatically.

Security and privacy

The secret is the master key to every future code. Anyone who copies it can generate valid codes forever — never share or log it in plain text.

Store secrets in the authenticator app or a password manager, never in a shared note.
Keep backup codes in case you lose the device, since TOTP has no built-in recovery.
Privacy: secrets are generated with crypto.getRandomValues and codes are computed locally — nothing is uploaded.

Common pitfalls

Check the result before replacing the original input.
Watch for unit, format, encoding, and browser memory limits on large inputs.
Keep a copy of important source material until the output is verified.

Frequently asked questions

Which standard does this follow?

RFC 6238 TOTP: 6-digit codes derived from a shared secret and a 30-second time step using HMAC-SHA1.

Can I import the secret into an authenticator app?

Yes. Scan or import the generated otpauth:// URI into Google Authenticator, Authy or similar, and the app will produce the same codes.

Why does my code not match a real service?

Usually clock drift. TOTP depends on accurate time, so set your device clock to update automatically; most servers tolerate one step either side.

How is the code generated without a network call?

Both sides know the secret and the current time, so each computes the same code independently. Nothing is sent over the network to generate it.

What happens if I lose the secret or device?

TOTP has no built-in recovery, so keep backup codes from the service. Anyone who copies the secret can generate valid codes, so guard it carefully.

Is secret generation local?

Yes. Secrets use crypto.getRandomValues and codes are computed in your browser — nothing is uploaded.

Keep exploring

More tools you'll like

Hand-picked utilities that pair well with the one you're on — all free, client-side, and zero-signup.

More security tools

See all →

Popular across EpitomeTool

Browse all →

Browse all 212+ free tools