How to use
- Paste your Base32 secret into the top field — the key a provider tucks behind a “can’t scan the QR?” link — or drop the whole
otpauth://URI in and every field below fills itself from it. - For a bare secret, match the parameters your provider used: Digits (6 or 8), Period in seconds (30 is standard), and Algorithm (SHA1, SHA256 or SHA512). Issuer and account are labels only and never change the code.
- Read the live code from the large display. The bar underneath drains as the current window closes, and the digits roll over on their own when it reaches zero.
- Hit Copy above the code to grab it, or copy the generated
otpauth://URI to carry the same secret to another app. - Starting from scratch? Press Random secret for a fresh 160-bit key, then scan the QR into an authenticator or keep it with Download PNG.
How it works
A TOTP code is an HMAC of the clock, truncated to a handful of digits — RFC 6238 layered on the HOTP construction of RFC 4226. The current Unix time is divided by the period to get a counter, so a code stays fixed for one 30-second window and changes at the next.
Take the secret MFRGGZDFMZTWQ2LKNNWG33Q with the defaults (SHA1, six digits, 30-second period). At 09:41:30 UTC on 7 July 2026 the Unix time is 1,783,417,290; dividing by 30 and flooring gives counter 59,447,243 (hex 38B17CB). Packed into eight big-endian bytes, that counter is run through HMAC-SHA1 keyed with the decoded secret, yielding 4f36…93df. Dynamic truncation reads the low nibble of the final byte (0xdf → 15) as an offset, pulls the four bytes starting there (26 72 4f 93), clears the top bit to stay positive (0x26724F93 = 645,025,683), and takes it modulo 10⁶. The answer is 025683, which the display groups as 025 683. Thirty seconds on, the counter ticks to 59,447,244 and the whole calculation reruns. That keyed hash is the same primitive you can drive by hand in the HMAC generator.
Use cases & limitations
This earns its place when you want to confirm an enrolment worked before trusting it, read a code with your phone across the room, or check that a provider’s digit count and algorithm actually match what you configured. It works the other direction too: mint a secret with Random secret, wire it into a login you are building, and use the codes here to test the round trip.
Two limits worth stating plainly. First, only time-based codes are handled — paste a counter-based (HOTP) link and it is turned away, because those hinge on a shared counter this page has no way to track. Second, the otpauth:// URI and the QR both carry the secret in plain text; whoever photographs that QR holds your second factor outright, so guard both exactly as you would the password.
Privacy note
Codes are computed on your device by the otpauth library over the Web Crypto HMAC — no request is sent and nothing is retained between visits. The QR renderer, the same library behind the QR code generator, is a static script fetched once from this site when a secret first validates; it never transmits the secret, and when you are offline it fails quietly while the codes keep updating. Random secret pulls a 160-bit key from the browser’s cryptographic RNG — the source the key generator relies on, and the reason Math.random() has no business making secrets. On a shared computer, clear the secret field before you step away.