Free TOTP generator

Turn a base32 secret into a live 2FA code, or generate a new secret and scan it into your authenticator app. The HMAC is computed on your device with the Web Crypto API, so the secret is never sent to a server, logged, or stored. No sign-up, no tracking.

Paste the secret your server issued, or generate a 160-bit one here. Spaces and lowercase are fine.

Current code

••• •••

Enter a base32 secret to see a code.

A browser tab is a fine place to test a TOTP flow and a poor place to keep a real second factor. Once you have checked the secret works, store it in an authenticator app or a password manager.

Copied to clipboard

How the TOTP generator works

1

Enter or generate a secret

Paste the base32 secret your server issued, or press New secret to draw 160 random bits from crypto.getRandomValues.

2

The code is signed on your device

The clock is divided into steps, and each step number is HMAC'd with your secret through crypto.subtle. That HMAC is truncated to the digits you asked for.

3

Copy the code or scan the QR

Copy the live code, or scan the otpauth QR to load the same secret into a phone authenticator. No request leaves the page either way.

Private by design: nothing leaves your browser

A TOTP secret is not a password you can rotate quietly. Whoever holds it can produce a valid code for that account on any day, from any machine, until someone notices and re-enrols. Paste one into a site that computes the code on its server and you have handed over the second factor. This page has no server to hand it to:

01

100% client-side

The HMAC is computed with crypto.subtle.sign, the browser's own audited crypto, and random secrets come from crypto.getRandomValues. Producing a code makes no network request, so open the devtools network tab and watch it stay empty.

02

Nothing stored or logged

There is no account and no history. The secret lives in the page's memory and nowhere else, so reloading the tab wipes it and closing the tab ends it.

03

The QR is drawn locally

The otpauth:// URI is built in the page and the QR image is drawn there too, by your browser. Nothing is uploaded and no link is shortened, so the QR that carries your secret exists only on your screen.

If a code is rejected, check these first

  1. The clock. TOTP is time-based, so a device more than one step out of sync produces codes the server has already moved past.
  2. The algorithm. Servers usually expect SHA-1, and several authenticator apps ignore the algorithm in the otpauth URI and use SHA-1 regardless of what you set.
  3. The digits and period. 6 digits on a 30-second step is what almost everything assumes.
  4. The secret itself. Base32 has no 0, 1, or 8, so a hand-typed key with those characters in it was misread.

Built for developers and security teams

Anyone who needs a real 2FA code without trusting a stranger's backend with the secret that produces it. BlockSurvey takes the same position on research data with zero-knowledge surveys, where responses are encrypted before they ever reach a server.

Developers

Build a TOTP enrolment flow and check your server's codes against a second, independent implementation instead of against itself.

Security & IT teams

Confirm an enrolment QR encodes the algorithm, digits, and period you meant before it goes out to the whole company.

People moving phones

Check that a saved secret still produces the codes your old device did, before you wipe the old device.

Building something that handles sensitive data?

BlockSurvey runs on zero-knowledge surveys, so the responses you collect are never sold or mined. Responses are encrypted on the respondent's device, so the server stores nothing readable.

More free privacy tools

Browse all privacy tools

These tools run in your browser because that is how we build everything. The same idea, applied to research: privacy-first surveys with end-to-end encryption.

Frequently asked questions

Is this TOTP generator free?

Yes. It is free, there is no sign-up, and there is no limit on how many codes or secrets you generate.

Is my 2FA secret sent to a server?

No. The secret stays in the page. The HMAC that produces each code is computed on your device with the browser's Web Crypto API (crypto.subtle), and the page makes no network request to generate a code. This matters more here than on most tools: anyone who holds a TOTP secret can mint valid codes for that account forever, so a generator that posts your secret to a backend has taken your second factor.

How is the code calculated?

By RFC 6238. The current Unix time in seconds is divided by the period (30 by default) to get a counter, that counter is written as an 8-byte big-endian value, and an HMAC of it is taken with your base32 secret as the key. The last 4 bits of the HMAC pick an offset, 4 bytes are read from that offset, the top bit is masked off, and the result is reduced modulo 10^digits. Change the secret, the counter, the hash, or the digit count and you get a different code.

What is a base32 secret?

TOTP secrets are shared as base32 (RFC 4648): the letters A to Z and the digits 2 to 7. The alphabet skips 0, 1 and 8 because they are easy to confuse with O, I and B when someone types a key by hand. Google Authenticator, 1Password, Authy, and most server libraries all expect this encoding, which is why the secret here is shown in base32 rather than as hex.

Why does my code not match my authenticator app?

Usually one of four things. Your device clock is off by more than a step, so check that it is set to sync automatically. The algorithm, digit count, or period does not match what the server expects. The secret was mistyped, since base32 has no 0, 1 or 8. Or the app quietly ignores the algorithm in the otpauth URI, which several of them do, and computes SHA-1 regardless.

Which algorithm, digits, and period should I choose?

SHA-1, 6 digits, and a 30-second period, unless the server you are enrolling with says otherwise. That combination is what almost every authenticator app supports, and SHA-1 in an HMAC is not affected by the collision attacks that killed SHA-1 for signatures. Pick SHA-256 or SHA-512 only when you control both the server and the app and you have confirmed the app honours the setting.

Can I use this instead of an authenticator app?

For building and testing, yes. As your everyday second factor, no. A browser tab is not a safe home for a long-lived TOTP secret: the page has no lock, no backup, and closing it loses the secret. Use this to enrol a test account, check a QR code before you roll it out, or confirm a new phone produces the same codes as the old one. Keep the real secret in an authenticator app or a password manager.

Is the QR code uploaded anywhere?

No. The otpauth:// URI is built in the page and the QR image is drawn there too, by your browser. Nothing is uploaded and no link is shortened, so the QR that carries your secret exists only on your screen.

Can I use this offline?

Yes. Once the page has loaded you can disconnect and it keeps producing codes, because the computation and the clock both come from your own device.

Do you store the secret I enter or generate?

No. The TOTP secret and every code derived from it are computed in your browser and never sent to a server. Close or refresh the tab and the secret is gone, so save it yourself if you still need it.

How is this different from a paid TOTP tool?

Some paid or convenience TOTP generators run the code computation on a server, which means a secret that is meant to be a second factor passes through a backend. This one computes everything client-side with the Web Crypto API, so the secret never leaves your device, and there is no sign-up or limit.
Scripts are blocked. This site won’t work properly. If you’re using Brave, click the Shields icon and turn off Block scripts. Otherwise disable your ad blocker for this site.