TOTP (Time-based One-Time Password) is an algorithm defined in RFC 6238. It combines a shared secret key with the current time to generate a short-lived numeric code. Google Authenticator, Authy, and 1Password all use TOTP for two-factor authentication.

Where do I find my secret key?

When you enable 2FA on a service, you receive a QR code or a Base32-encoded secret key. The secret key is the text string, usually shown as an option below the QR code. Store it securely because it lets anyone generate valid codes for your account.

Why does my code not match?

TOTP codes depend on the current time. If your device clock is off by more than 30 seconds, codes won't match the server. Sync your device clock with an NTP server. Also verify you're using the correct secret key for the service.

Is my secret key sent to a server?

No. All TOTP computation runs in your browser using the Web Crypto API. Your secret key never leaves your device.

TOTP Generator

Generate time-based one-time passwords from a Base32 secret key. Live countdown timer and Web Crypto API powered.

Secret Key (Base32)

Enter a Base32 secret key to generate TOTP codes

How it works

TOTP uses the current time divided into 30-second intervals as a counter.
The counter is signed with your secret key using HMAC-SHA1.
A 6-digit code is extracted from the signature via dynamic truncation.
All computation runs in your browser using the Web Crypto API.

Use this as an API

Automate this in your app with a single POST request. Free tier included.

Use this in your AI agent

Connect via MCP and let Claude, Cursor, or VS Code call this tool natively.

How TOTP works

TOTP divides time into 30-second intervals. The current interval number (Unix timestamp divided by 30) serves as a counter. The algorithm signs this counter with your secret key using HMAC-SHA1, then extracts a 6-digit code from the result via dynamic truncation. Both the client (your authenticator app) and the server perform the same calculation, so they produce matching codes without exchanging any data.

Base32 encoding

TOTP secret keys use Base32 encoding (A-Z and 2-7) because it's case-insensitive and avoids ambiguous characters like 0/O and 1/I/l. When a service shows you a "setup key" during 2FA enrollment, it's a Base32-encoded version of the raw secret bytes. This tool accepts Base32 input with or without spaces and padding characters.

Security considerations

TOTP codes are only valid for 30 seconds, but the secret key itself is permanent. Anyone who obtains your secret key can generate valid codes indefinitely. Store secret keys in a password manager or hardware security module. Never share them via email or unencrypted channels. For hashing and integrity verification, use our Hash Generator.

TOTP vs HOTP

HOTP (HMAC-based One-Time Password, RFC 4226) uses a monotonically increasing counter instead of time. TOTP builds on HOTP by using time as the counter. TOTP is more widely adopted because it doesn't require counter synchronization between client and server. The trade-off: TOTP codes expire, requiring near-accurate clocks on both ends.

Frequently Asked Questions

What is TOTP?: TOTP (Time-based One-Time Password) is an algorithm defined in RFC 6238. It combines a shared secret key with the current time to generate a short-lived numeric code. Google Authenticator, Authy, and 1Password all use TOTP for two-factor authentication.
Where do I find my secret key?: When you enable 2FA on a service, you receive a QR code or a Base32-encoded secret key. The secret key is the text string, usually shown as an option below the QR code. Store it securely because it lets anyone generate valid codes for your account.
Why does my code not match?: TOTP codes depend on the current time. If your device clock is off by more than 30 seconds, codes won't match the server. Sync your device clock with an NTP server. Also verify you're using the correct secret key for the service.
Is my secret key sent to a server?: No. All TOTP computation runs in your browser using the Web Crypto API. Your secret key never leaves your device.