TOTP Authenticator — Two-Factor Code Generator
Free online TOTP authenticator that generates time-based one-time passwords. Supports SHA-1, SHA-256, SHA-512 algorithms. No sign-up, runs in your browser.
Enter a Base32 secret key above to generate TOTP codes
What Is TOTP (Time-Based One-Time Password)?
TOTP is a widely adopted two-factor authentication (2FA) algorithm defined in RFC 6238. It generates short-lived numeric codes from a shared secret key and the current time. Services like Google, GitHub, AWS, and many others use TOTP to add an extra layer of security beyond passwords. Each code is valid for a fixed time window (usually 30 seconds), after which a new code is generated automatically.
How to Use This TOTP Authenticator
- Enter the Base32-encoded secret key provided by the service you want to authenticate with.
- Choose the algorithm (SHA-1 is default for most services), digit count (6 or 8), and period (30s or 60s).
- The tool instantly generates and displays the current TOTP code with a countdown timer.
- Click the code or the Copy button to copy it to your clipboard.
- The code refreshes automatically when the time window expires.
Common Use Cases
- Testing 2FA Implementation — Verify your server-side TOTP validation logic by generating codes from a known secret.
- Emergency Code Generation — Generate TOTP codes without a phone-based authenticator app when you have the base32 secret backed up.
- Multi-Algorithm Verification — Test TOTP codes with different algorithms (SHA-256, SHA-512) to ensure your service supports them correctly.
FAQ
Is it safe to enter my TOTP secret here?
Yes. This tool runs entirely in your browser using the Web Crypto API. No data is sent to any server. However, never share your TOTP secret with untrusted websites.
What is a Base32 secret key?
Base32 is an encoding that uses the letters A-Z and digits 2-7. When you set up 2FA, the service provides a secret key in Base32 format, often alongside a QR code.
Why does my code not match my authenticator app?
Ensure the algorithm, digit count, and period match your service settings. Most services use SHA-1, 6 digits, and a 30-second period. Also verify your device clock is accurate.