Overview
What this tool does
TOTP (Time-based One-Time Password) is the 6-digit code that authenticator apps like Google Authenticator, Authy, and 1Password show next to each account. It's the second factor in two-factor authentication. This tool implements the same RFC 6238 algorithm right in your browser using the SubtleCrypto API. Paste a base32 secret (or a full otpauth:// URI that QR codes encode) and you get the current code plus a live countdown showing when the next code arrives. Useful for adding 2FA in a setup script, sanity-checking that you copied the secret correctly, or as a last-resort backup if your authenticator app is unavailable. The secret never leaves your browser.
How to
Use it in 3 steps
- Paste your base32 secret in the input. Most services show this as a short string of A-Z and 2-7 characters during 2FA setup.
- OR paste the full otpauth:// URI (the kind embedded in setup QR codes). The form auto-populates from it.
- Read the 6-digit code. It rotates every 30 seconds; the countdown bar shows time remaining.
- Copy the code to clipboard with the Copy button. Use it as your 2FA code anywhere you'd use Google Authenticator's code.
- Override hash algorithm, digit count, or period only if your provider explicitly tells you to. Defaults match almost every service.
FAQ
Frequently asked questions
▶Should I use this instead of a real authenticator app?
No, not for primary 2FA. A dedicated mobile authenticator (Authy, 1Password, Aegis, Google Authenticator) keeps the secret in secure storage on your device. A web tool can be hijacked by browser extensions or malware. Use this as a backup, a setup-script helper, or a sanity check.
▶Is my secret uploaded?
No. The base32 secret stays in your browser's memory while you have the page open. The math (HMAC + dynamic truncation per RFC 4226 / 6238) runs entirely in your browser via the SubtleCrypto API. Close the tab and the secret is gone.
▶What's a base32 secret?
It's the encoding format authenticator-app secrets use: 32 characters (A-Z plus the digits 2-7) representing 5 bits each. During 2FA setup, services show you this string (often grouped in 4-char blocks for readability) alongside a QR code that contains the same secret in a URI.
▶What's an otpauth URI?
The string a 2FA setup QR code encodes. Format: otpauth://totp/Label?secret=ABC&issuer=Example&algorithm=SHA1&digits=6&period=30. Pasting one auto-fills every field of this tool.
▶Why does the next code preview matter?
When the countdown is below 5 seconds, you might enter the current code into a website but by the time you press submit, the code has rolled over. Seeing the next code lets you decide whether to wait or use the upcoming one.
▶What if the code is wrong?
Check (1) the secret has no typos and no spaces; (2) the hash algorithm matches what the service uses (almost always SHA-1); (3) digit count and period match (6 and 30 are the defaults); (4) your device's clock is correct (TOTP is time-based; a clock that's off by minutes will give wrong codes).