/ developer & network toolbox
← all tools

$ totp

runs locally

TOTP / 2FA

Generate a 2FA secret, a scannable provisioning QR and a live one-time code. All local.

totp — invoker.tools

Scan with Google Authenticator / Authy. SHA-1 · 6 digits · 30s. Computed locally with Web Crypto.

About the TOTP / 2FA

The TOTP generator creates everything you need to set up time-based two-factor authentication: a random base32 secret, a scannable otpauth:// provisioning QR code, and a live 6-digit one-time code that refreshes on a 30-second countdown. It implements RFC 6238 using HMAC-SHA1 via the browser's Web Crypto API, the same standard used by Google Authenticator, Authy, and similar apps.

Use it to bootstrap 2FA for a service you are building, to test an authenticator integration, or to compute codes from an existing secret. You can paste a secret you already have to see its current codes. Everything runs locally in your browser, so secrets and codes never leave your device.

How to use it

  1. Generate a new base32 secret, or paste an existing one.
  2. Scan the otpauth:// QR code with an authenticator app, or copy the secret.
  3. Read the live 6-digit code shown on screen.
  4. Watch the 30-second countdown and use the code before it refreshes.
  5. Enter the code in the service you are setting up or testing.

Examples

  • Generate a secret and scan the QR code into Google Authenticator to enroll a test account.
  • Paste an existing base32 secret to read its current valid 6-digit code.
  • Confirm your server's TOTP implementation by comparing its output to the live code here.
  • Use the 30-second countdown to time entering a code right after it rotates.

Frequently asked questions

What standard does this implement?

It implements RFC 6238 time-based one-time passwords using HMAC-SHA1, computed with the browser's Web Crypto API. This is compatible with common authenticator apps.

Can I use an existing secret?

Yes. Paste a base32 secret you already have and the tool will show its current live 6-digit code and countdown.

Is it safe, are my secrets sent anywhere?

No secret or code is uploaded. All generation and computation happens locally in your browser using Web Crypto, so nothing leaves your device.

Why does the code change every 30 seconds?

TOTP codes are derived from the current time in 30-second windows, so a fresh 6-digit code is produced each interval per the RFC 6238 standard.

What is the difference between TOTP and a regular password?

A password is static, while a TOTP code is a short-lived second factor that changes every 30 seconds, adding protection even if a password is stolen.

Will the QR code work with Google Authenticator or Authy?

Yes. The QR code is a standard otpauth:// provisioning URI, which Google Authenticator, Authy, and most TOTP apps can scan.

More generate tools

Password GeneratorUUID GeneratorULID / UUIDv7QR CodeBarcodePassphraseColor PaletteLorem IpsumFavicon Generator