TOTP Authenticator — Online one-time passord generator (RFC 6238)

Generate and copy Time-based One-Time Passwords (TOTP) instantly for testing, debugging, and QA. Configure algorithm (SHA-1 / SHA-256 / SHA-512), digit length (6 or 8), and see live codes that refresh every 30 seconds per RFC 6238.

Your data security is our top priority. All TOTP code generation and application management happen entirely in your browser.
This tool does not store or transmit your secret keys or codes outside of your browser.

How the Tool Works

Step 1.
Enter Your Application’s Secret Key
Paste the shared TOTP secret (base32) from your app’s 2FA setup screen.
Step 2.
Customise Algorithm and Digit Length
Choose SHA-1, SHA-256, or SHA-512, and pick 6 or 8 digits. SHA-1 + 6 digits is the common default; use stronger hashes if your integration requires it.
Step 3.
Generate One-Time Password
The current OTP is generated and updates automatically on a 30-second timestep (default per RFC 6238). Save up to 10 different application secrets for quick testing.
Step 4.
Copy an use the One-Time Password for authentication
Click/tap the code to copy it to your clipboard and paste it into your app’s login flow.

⚠️ Caution: All code generation and storage happen in your browser memory only.
And therefore, when your browser cache is cleared or if you reinstall your browser, all data saved for this tool will be permanently deleted.

Secure Your Accounts Seamlessly with Authgear

Authgear gives you scalable identity management, secure authentication, and easy integration.

Get Started for Free

Troubleshooting

Codes don’t match?
  • Check server and client clocks — TOTP depends on accurate time; allow a verification window (±1 timestep) during testing.
Wrong secret format?
  • Ensure the secret is base32. If you have a QR code, scan it or extract the secret= parameter from the otpauth URI.
“Algorithm mismatch” errors
  • Verify that both the server and authenticator are using the same algorithm (SHA-1/256/512), digit length, and timestep.
Intermittent failures in tests
  • Confirm you’re not reusing a secret in multiple environments (e.g., same secret across staging & prod can cause confusion)

FAQ

What is TOTP?
TOTP (Time-Based One-Time Password) is an industry-standard algorithm for generating temporary, single-use codes based on the current time and a shared secret. TOTP is defined by the official IETF standard RFC 6238, which specifies how these codes are calculated to provide short-lived OTP values for secure two-factor authentication across websites, applications, and services.
Why TOTP?
Strengthens security with two-factor authentication (2FA)
Widely adopted by major platforms (Google, Microsoft, GitHub, etc.)
Tokens expire quickly, minimising the risk of code reuse
How long is a TOTP valid?
By default 30 seconds (RFC 6238 recommends 30s). Server verification often allows a one-step grace window for clock skew.
Which algorithm should I use — SHA-1, SHA-256 or SHA-512?
SHA-1 is widely supported and used by most authenticator apps; SHA-256/512 are more robust if you control both the client and server and want stricter hashing. Ensure all sides use the same algorithm.
Should I use 6 or 8 digits?
6 digits is the common standard (balances usability and security). 8 digits provide slightly more entropy but are less common for consumer authenticators.
How do I extract a secret from an otpauth:// URI?
The secret= parameter in the otpauth:// URL is the base32 secret.
Preferences

Privacy is important to us, so you have the option of disabling certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may impact your experience on the website.

Accept all cookies

These items are required to enable basic website functionality.

Always active

These items are used to deliver advertising that is more relevant to you and your interests.

These items allow the website to remember choices you make (such as your user name, language, or the region you are in) and provide enhanced, more personal features.

These items help the website operator understand how its website performs, how visitors interact with the site, and whether there may be technical issues.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.