Tools100% Local

TOTP & HOTP Generator

RFC 6238 / 4226 · runs entirely in your browser

Paste a Base32 secret — or an entire otpauth:// URI — and watch the six-, seven-, or eight-digit code roll in real time. Choose HMAC-SHA1, SHA-256 or SHA-512, swap to a 60-second window, or flip into HOTP counter mode for counter-based 2FA. Your secret never leaves the page.

Mode

Base32 Secret or otpauth:// URI0 chars

Algorithm

Digits

Period

SHA-1 · 6 digits · 30 swaiting

Previous——————

Next——————

——————

Click to copy —

Next code in

—

Counter

—

Unix time

—

↗ Show as QR for Authenticator app

How it works

TOTP (Time-based One-Time Password, RFC 6238) and HOTP (HMAC-based, RFC 4226) both compute a code by HMAC-signing a counter with a shared secret, then truncating the result to the requested digit count. For TOTP the counter is floor(unixTime / period); for HOTP the counter is supplied by the application and incremented on each successful use.

This page implements both standards with the full set of options that real deployments care about: HMAC-SHA1 (the default for legacy compatibility), SHA-256 and SHA-512; 6, 7 or 8-digit codes; 30 or 60-second windows for TOTP; and an explicit counter input for HOTP. The HMAC computation runs on the browser's native Web Crypto API, so the secret never crosses a network boundary.

otpauth:// import

Paste an otpauth://totp/... or otpauth://hotp/... URI in the Secret field and every option auto-fills from its parameters — algorithm, digits, period, counter, secret. This is the same URI format produced by the QR codes in Google Authenticator setup screens, so you can copy a pasted URI directly out of an email or 2FA setup page and inspect what it would do before importing it.

Going the other way, the Show as QR button hands the current configuration to the QR generator so you can scan it into your phone's authenticator without retyping anything.

Common use cases

Set up 2FA on a server account and verify the secret was stored correctly before finalizing the configuration.
Recover a one-time code when your authenticator app is unreachable but you still have the original secret.
Debug an OTP-based automation that's failing — generate the expected code on your machine and compare to what your code produces.
Inspect a suspicious otpauth:// URI received over chat or email before importing it on your phone.
Test a 2FA implementation against vector code paths (SHA-256, 8 digits, 60 seconds) without pulling in a third-party library.

Privacy

Your secret is processed only in your browser and is never transmitted, logged, or stored. There is no analytics script, no cookies, no telemetry. The full source for this page is plain HTML and JavaScript — right-click and view-source if you want to audit it before pasting anything sensitive.