UtilityKit

500+ fast, free tools. Most run in your browser only; Image & PDF tools upload files to the backend when you run them.

TOTP Generator

Authenticator-style rotating codes from Base32 secrets.

About TOTP Generator

TOTP Generator on UtilityKit computes RFC 6238 Time-based One-Time Passwords directly in your browser from any Base32-encoded secret. Paste the secret key shown during 2FA setup — as a text string like JBSWY3DPEHPK3PXP or from an otpauth:// URI — and instantly see the live 6-digit code along with a 30-second countdown showing exactly how long until it rotates. Previous and next window codes are shown alongside the current one so you can confirm a code that is about to expire or test an integration that accepts one window of grace. Everything runs client-side via the Web Crypto API; no secret is ever transmitted to a server. Useful for developers building TOTP-based 2FA, QA engineers validating login flows, and sysadmins testing backup codes.

Why use TOTP Generator

Instant Debug Aid

Verify that your TOTP implementation produces the correct code without installing a separate authenticator app or configuring a physical device during development.

Fully Client-Side

Your Base32 secret never leaves your browser. All HMAC-SHA1 computation runs locally via the Web Crypto API — no network request is made.

Live Countdown

A real-time 30-second countdown ring shows exactly when the code rotates, preventing failed logins from submitting an expiring code at the last second.

Window Inspection

Previous and next codes are displayed alongside the current one, making it easy to test grace-period logic in authentication backends.

Standards Accurate

Implements RFC 4226 (HOTP) and RFC 6238 (TOTP) exactly — same algorithm used by Google Authenticator, Authy, Microsoft Authenticator, and hardware OTP tokens.

No Install Required

Works in any modern browser on desktop or mobile — no app install, no account, no clipboard permission popups beyond what the browser provides.

How to use TOTP Generator

  1. Obtain the Base32 secret from your service — it appears on the 2FA setup screen as a text string like JBSWY3DPEHPK3PXP or inside a QR code URI starting with otpauth://totp/.
  2. Paste the Base32 secret into the Secret field. Spaces and hyphens are stripped automatically; uppercase and lowercase are both accepted.
  3. The tool immediately displays the current 6-digit TOTP code valid for this 30-second window, together with a live countdown ring showing remaining seconds.
  4. Use the Previous and Next panels to see the codes for the window just before and just after the current one — helpful when a service accepts a one-window grace period.
  5. To test your implementation, compare the displayed code with your authenticator app using the same secret — they must match digit-for-digit at the same moment.
  6. Copy the code with one click and paste it into a login form, a test harness, or a CI environment variable for automated 2FA testing.

When to use TOTP Generator

  • When building a 2FA login flow and you need to generate test codes without unlocking a phone or switching apps.
  • When debugging a TOTP mismatch — use previous/next windows to identify a clock-skew or off-by-one-window bug in your backend.
  • When onboarding a new service that shows a Base32 secret manually and you need to verify it generates the expected code before enrolling your authenticator app.
  • When you need a quick code to paste into a CI/CD pipeline that requires 2FA — without storing the secret in a separate secrets manager just for one test run.
  • When auditing a TOTP implementation against RFC 6238 test vectors to confirm spec compliance.
  • When a team member needs a code from a shared service secret and you want to generate it securely in-browser without copying it to a messaging app.

Examples

Verifying a Base32 secret against an authenticator app

Input: Secret: JBSWY3DPEHPK3PXP (the RFC 6238 test vector secret)

Output: Current code changes every 30 s — e.g. 282760 at T=0. Matches Google Authenticator output for the same secret and system time.

Debugging a one-window grace period

Input: Secret: MY2GCZTBORQXEYLS, backend reports 'code expired'

Output: Previous code shown as 491823, current as 739104, next as 058217. Submit the current code; if backend still rejects, check clock skew exceeds one window (30 s).

Extracting secret from a QR code URI

Input: otpauth://totp/Example:user@example.com?secret=ORSXG5A&issuer=Example

Output: Paste ORSXG5A into the Secret field — live 6-digit code appears immediately with a 30-second countdown.

Tips

  • If your code doesn't match your authenticator app, check that your computer's clock is synced. On macOS run 'sudo sntp -sS time.apple.com'; on Linux 'timedatectl status' shows NTP sync state.
  • Base32 secrets from QR codes can be extracted by scanning with a QR decoder tool — look for the 'secret' query parameter in the otpauth:// URI.
  • Add 30 seconds of lead time when automating login flows: generate the next-window code (visible in the Next panel) just before the window rolls to avoid a race condition.
  • Never paste production 2FA secrets into untrusted web tools. This tool is browser-only, but always verify the URL is the real UtilityKit site and not a phishing clone before entering any secret.
  • TOTP secrets are reusable — unlike passwords, regenerating a code from the same secret always works. Back up your Base32 secrets in an encrypted password manager so you are never locked out.

Frequently Asked Questions

Is my Base32 secret sent to the server?
No. The entire TOTP computation — HMAC-SHA1, counter derivation, truncation, and modulo — runs in your browser using the Web Crypto API and JavaScript. Nothing is transmitted to any server.
Why does my code differ from my authenticator app?
TOTP codes are time-dependent, so both devices must have accurate clocks. A clock skew of more than 30 seconds will produce a different window. Check your system clock is synced via NTP. Also confirm you are using the same Base32 secret — a single character difference will produce entirely different codes.
What is a Base32 secret and where do I find it?
The Base32 secret is a string of 16–32 characters using letters A–Z and digits 2–7, provided by the service when you enable 2FA. It is shown on the 2FA setup page either as text (for manual entry) or encoded inside a QR code under the 'secret' parameter of an otpauth:// URI.
What is the standard for TOTP?
TOTP is defined in RFC 6238, which extends HOTP (RFC 4226). It uses HMAC-SHA1 applied to a counter derived from the current Unix time divided by a 30-second step. The result is truncated to 6 digits. All major authenticator apps implement exactly this standard.
Why are three codes shown instead of one?
Many authentication backends accept codes from the previous and next 30-second windows to handle minor clock skew and network latency. Showing all three lets you test grace-period handling or submit the next code when the current one is about to expire.
Can I use this for HOTP (counter-based) tokens?
This tool implements the time-based TOTP variant only. Counter-based HOTP requires a stateful counter stored on both the server and client, which is not supported here. Use a dedicated HOTP library if you need counter-based OTPs.
Does this work for Google Authenticator, Authy, and Microsoft Authenticator secrets?
Yes. All three apps implement RFC 6238 with a 30-second time step and 6-digit output — the same configuration this tool uses. If you enter the same Base32 secret, the codes will match exactly.
Is 6-digit TOTP secure enough for production?
TOTP significantly increases account security over passwords alone. The 30-second window and secret-binding make brute force impractical in real time. For production systems, also enforce rate limiting on OTP attempts, use HTTPS throughout, and store the Base32 secret encrypted at rest.

Explore the category

JSON Path Finder Query JSON values using JSONPath-style paths HTTP Status Lookup Search HTTP status codes and names with class-based filters and notes. CSS Button Generator Style padding, radius, colors, borders, and optional hover darken with instant previews. SERP Preview Tool Desktop and mobile style snippets with soft character guides. Password Strength Checker Heuristic scoring without uploading secrets. Snowflake ID Generator Generate Twitter-style Snowflake IDs — 64-bit time-ordered unique integers used in distributed social platforms.
How TOTP Two-Factor Authentication Works (RFC 6238) Those six-digit codes from Google Authenticator, Authy, and 1Password are not magic. They're HMAC over a clock. Here's the precise algorithm Mar 2026 · 9 min

Glossary

TOTP
Time-based One-Time Password — a 6-digit code generated from a shared secret and the current time, valid for a single 30-second window. Defined in RFC 6238.
HOTP
HMAC-based One-Time Password — the counter-based OTP algorithm defined in RFC 4226 that TOTP extends by replacing the counter with a time-derived value.
Base32
An encoding scheme using uppercase letters A–Z and digits 2–7 to represent binary data as printable ASCII. Used to encode TOTP shared secrets because it avoids ambiguous characters like 0, O, 1, and l.
HMAC-SHA1
Hash-based Message Authentication Code using the SHA-1 hash function. TOTP uses HMAC-SHA1 to combine the shared secret and time counter into a verifiable digest before truncation.
Time Step
The interval in seconds over which a TOTP code is valid. The RFC 6238 default is 30 seconds, meaning the code changes every 30 seconds based on Unix time divided by 30.
otpauth URI
A standardised URI scheme (otpauth://totp/Label?secret=BASE32&issuer=Name) used to transfer TOTP credentials via QR code to authenticator apps. Scanning this URI with an app registers the secret automatically.