TOTP / HOTP Generator

Generate time-based (TOTP) and counter-based (HOTP) one-time passwords for testing 2FA implementations. Implements RFC 6238 and RFC 4226.

TOTP (Time-Based)

Secret key (Base32)

Examples

Click to load a known secret

Common demo secret: JBSWY3DPEHPK3PXP

RFC 6238 test secret (SHA-1, 20 bytes)

Random 32-char secret

Digits

Period (seconds)

Algorithm

                    ------
                

HOTP (Counter-Based)

Secret key (Base32)

Counter

Digits

How it works

TOTP (RFC 6238) uses floor(currentUnixTime / period) as the counter input. HOTP (RFC 4226) uses an explicit incrementing counter. Both compute HMAC(secret, counter) then apply dynamic truncation to extract a 6–8 digit numeric code.

The secret is a Base32-encoded shared key established during 2FA enrollment (typically via QR code). The authenticator app and server both compute the same code independently - no network exchange needed during verification.

Security note

This tool is for testing and development only. Never paste production TOTP secrets into any web tool. The secret is not stored or transmitted - but treat any real secret as highly sensitive credentials.

View source Report issue