TOTP Secret & 2FA Code Generator

A free TOTP (Time-based One-Time Password) generator that produces RFC 6238-compliant secrets and renders the QR code your authenticator app expects. Generate a fresh random Base32 secret, paste an existing one to verify it works, and watch the 6-digit code refresh live in your browser. Compatible with Google Authenticator, Authy, Aegis, Microsoft Authenticator, 1Password and any RFC-compliant app.

How to use

1
Generate or paste a secret

Click "Random" for a fresh 160-bit Base32 secret, or paste an existing one to verify your authenticator setup.

2
Fill issuer and account

These show up as the entry label in your authenticator app — e.g. "GitHub: alice@example.com".

3
Scan the QR

Open Google Authenticator, Authy or Aegis, tap "Add account", and scan the QR. The 6-digit code in the app should match this page.

4
Save the secret

Copy the Base32 secret to a password manager as a backup. If your phone is lost, you can restore the same TOTP entry on a new device.

🔥 Trending right now
🗣️ Text to Speech Video Enhancer ✂️ Trim Audio Audio Enhancer

Generate a 2FA secret, render the QR for any authenticator app, and watch the 6-digit code update every 30 seconds

Advanced
— — — — — —
Next code:
Refreshes in s
Loading QR generator…
Scan with your authenticator app
otpauth://…
Copied
Don't know what to try?
380 free tools — open a surprise
🎲 Surprise me

Features

RFC 6238 compliant QR for any authenticator Live countdown Custom algorithm / digits / period Crypto-secure secret Local computation

FAQ

What is TOTP?

Time-based One-Time Password — RFC 6238. A 6-digit code derived from a shared secret and the current 30-second time window, used as the second factor for two-factor authentication.

Why is my authenticator showing a different code?

Most commonly: clock skew. Check that your phone and computer agree on the time. The TOTP algorithm is purely time-based — if clocks differ by more than 30 seconds, codes will not match.

Is the secret transmitted anywhere?

No. The secret is generated by crypto.getRandomValues in your browser; HMAC is computed via Web Crypto API. Nothing is sent to a server.

Can I use SHA-256 or SHA-512?

You can, but most authenticator apps assume SHA-1. Google Authenticator, for example, ignores the algorithm parameter in otpauth:// URIs and always uses SHA-1. Stick to SHA-1 for maximum compatibility.

How do I back up the secret?

Copy the Base32 string into a password manager (Bitwarden, 1Password, KeePass) under the same account. If your authenticator is lost, you can add the entry to a fresh device by pasting the secret.

Why 6 digits and not 8?

6 is the convention for consumer 2FA — it balances brute-force resistance with manual entry effort. 8-digit codes appear on banking and high-security tokens. Use what your service requires.

💡 Want us to improve this tool just for you?

We can — and it's free! Just send us a quick message with your idea. If you'd like to discuss it in detail, leave your email and we'll get back to you. You can stay anonymous.

You May Also Like

🔄 Bitwarden Converter 🗃️ KeePass Viewer 🔍 OTP Auth QR Decoder 🔗 One-Time Secret Share 🔐 PGP Key Generator 🎲 Passphrase Generator 📊 Password Audit 🚨 Password Breach Checker

How do you rate this tool?

Thank you for your rating!
Want to share more? Leave a comment!
Thank you! Your comment will appear after moderation.
Who is this tool for?
💻 Developers & IT Pros 🔒 Security & Privacy
Published Updated