Free TOTP generator
Turn a base32 secret into a live 2FA code, or generate a new secret and scan it into your authenticator app. The HMAC is computed on your device with the Web Crypto API, so the secret is never sent to a server, logged, or stored. No sign-up, no tracking.
Paste the secret your server issued, or generate a 160-bit one here. Spaces and lowercase are fine.
Current code
••• ••• Enter a base32 secret to see a code.
A browser tab is a fine place to test a TOTP flow and a poor place to keep a real second factor. Once you have checked the secret works, store it in an authenticator app or a password manager.
Copied to clipboard
How the TOTP generator works
Enter or generate a secret
Paste the base32 secret your server issued, or press New secret to draw 160 random bits from crypto.getRandomValues.
The code is signed on your device
The clock is divided into steps, and each step number is HMAC'd with your secret through crypto.subtle. That HMAC is truncated to the digits you asked for.
Copy the code or scan the QR
Copy the live code, or scan the otpauth QR to load the same secret into a phone authenticator. No request leaves the page either way.
Private by design: nothing leaves your browser
A TOTP secret is not a password you can rotate quietly. Whoever holds it can produce a valid code for that account on any day, from any machine, until someone notices and re-enrols. Paste one into a site that computes the code on its server and you have handed over the second factor. This page has no server to hand it to:
100% client-side
The HMAC is computed with crypto.subtle.sign, the browser's own audited crypto, and random secrets come from crypto.getRandomValues. Producing a code makes no network request, so open the devtools network tab and watch it stay empty.
Nothing stored or logged
There is no account and no history. The secret lives in the page's memory and nowhere else, so reloading the tab wipes it and closing the tab ends it.
The QR is drawn locally
The otpauth:// URI is built in the page and the QR image is drawn there too, by your browser. Nothing is uploaded and no link is shortened, so the QR that carries your secret exists only on your screen.
If a code is rejected, check these first
- The clock. TOTP is time-based, so a device more than one step out of sync produces codes the server has already moved past.
- The algorithm. Servers usually expect SHA-1, and several authenticator apps ignore the algorithm in the otpauth URI and use SHA-1 regardless of what you set.
- The digits and period. 6 digits on a 30-second step is what almost everything assumes.
- The secret itself. Base32 has no 0, 1, or 8, so a hand-typed key with those characters in it was misread.
Built for developers and security teams
Anyone who needs a real 2FA code without trusting a stranger's backend with the secret that produces it. BlockSurvey takes the same position on research data with zero-knowledge surveys, where responses are encrypted before they ever reach a server.
Developers
Build a TOTP enrolment flow and check your server's codes against a second, independent implementation instead of against itself.
Security & IT teams
Confirm an enrolment QR encodes the algorithm, digits, and period you meant before it goes out to the whole company.
People moving phones
Check that a saved secret still produces the codes your old device did, before you wipe the old device.
Building something that handles sensitive data?
BlockSurvey runs on zero-knowledge surveys, so the responses you collect are never sold or mined. Responses are encrypted on the respondent's device, so the server stores nothing readable.
More free privacy tools
Browse all privacy toolsThese tools run in your browser because that is how we build everything. The same idea, applied to research: privacy-first surveys with end-to-end encryption.