ToolsGiver

Developer

TOTP / 2FA Code Generator

RFC 6238 in your browser via SubtleCrypto. Paste a base32 secret or otpauth:// URI, get the rotating 6-digit code. Secret never leaves your device.

Your secret stays here.The base32 secret is held only in memory in your browser and used to compute the code via the browser's SubtleCrypto API. Nothing reaches a server. For real 2FA use a dedicated mobile authenticator app (Authy, 1Password, Aegis).

Algorithm settings

Almost every service uses SHA-1 / 6 digits / 30s. Only change these if your provider explicitly tells you to.

Overview

What this tool does

TOTP (Time-based One-Time Password) is the 6-digit code that authenticator apps like Google Authenticator, Authy, and 1Password show next to each account. It's the second factor in two-factor authentication. This tool implements the same RFC 6238 algorithm right in your browser using the SubtleCrypto API. Paste a base32 secret (or a full otpauth:// URI that QR codes encode) and you get the current code plus a live countdown showing when the next code arrives. Useful for adding 2FA in a setup script, sanity-checking that you copied the secret correctly, or as a last-resort backup if your authenticator app is unavailable. The secret never leaves your browser.

How to

Use it in 3 steps

  1. Paste your base32 secret in the input. Most services show this as a short string of A-Z and 2-7 characters during 2FA setup.
  2. OR paste the full otpauth:// URI (the kind embedded in setup QR codes). The form auto-populates from it.
  3. Read the 6-digit code. It rotates every 30 seconds; the countdown bar shows time remaining.
  4. Copy the code to clipboard with the Copy button. Use it as your 2FA code anywhere you'd use Google Authenticator's code.
  5. Override hash algorithm, digit count, or period only if your provider explicitly tells you to. Defaults match almost every service.

FAQ

Frequently asked questions

Should I use this instead of a real authenticator app?

No, not for primary 2FA. A dedicated mobile authenticator (Authy, 1Password, Aegis, Google Authenticator) keeps the secret in secure storage on your device. A web tool can be hijacked by browser extensions or malware. Use this as a backup, a setup-script helper, or a sanity check.

Is my secret uploaded?

No. The base32 secret stays in your browser's memory while you have the page open. The math (HMAC + dynamic truncation per RFC 4226 / 6238) runs entirely in your browser via the SubtleCrypto API. Close the tab and the secret is gone.

What's a base32 secret?

It's the encoding format authenticator-app secrets use: 32 characters (A-Z plus the digits 2-7) representing 5 bits each. During 2FA setup, services show you this string (often grouped in 4-char blocks for readability) alongside a QR code that contains the same secret in a URI.

What's an otpauth URI?

The string a 2FA setup QR code encodes. Format: otpauth://totp/Label?secret=ABC&issuer=Example&algorithm=SHA1&digits=6&period=30. Pasting one auto-fills every field of this tool.

Why does the next code preview matter?

When the countdown is below 5 seconds, you might enter the current code into a website but by the time you press submit, the code has rolled over. Seeing the next code lets you decide whether to wait or use the upcoming one.

What if the code is wrong?

Check (1) the secret has no typos and no spaces; (2) the hash algorithm matches what the service uses (almost always SHA-1); (3) digit count and period match (6 and 30 are the defaults); (4) your device's clock is correct (TOTP is time-based; a clock that's off by minutes will give wrong codes).

Related

You might also like