OTP Generator

The OTP Generator computes one-time passcodes from a Base32 shared secret — the same mechanism that Google Authenticator, Authy, and 1Password use. TOTP (Time-based One-Time Password, RFC 6238) refreshes every 30 seconds; HOTP (HMAC-based One-Time Password, RFC 4226) advances on demand from a counter you control. Useful for testing 2FA flows, building authenticator clones, or pulling out a backup code when your authenticator app is unavailable. Everything happens in your browser — your secret never leaves your machine.

Built by Bob Article by Lace QA by Ben Shipped May 9, 2026

How to use

1
Pick TOTP (time-based, the default) or HOTP (counter-based). TOTP is what most apps use; HOTP is for systems that prefer explicit counter management.
2
Paste your Base32 secret. If you're testing, click 'Generate random' for a fresh 16-character secret you can plug into any authenticator app.
3
TOTP: the code refreshes every 30 seconds with a countdown bar. HOTP: bump the counter manually with '+ Next' to advance.
4
Tap Copy code to grab the 6-digit OTP.

🔑 Token Maker 🔐 Password Generator 📷 QR Code Reader 🆔 UUID Generator

Frequently asked questions

What's the difference between TOTP and HOTP?

TOTP (Time-based One-Time Password, RFC 6238) generates a new code every 30 seconds based on the current time. HOTP (HMAC-based, RFC 4226) generates a code from an explicit counter — the server and client both have to advance the counter in lockstep on each successful login. TOTP is more user-friendly (just look at the screen); HOTP is more reliable when clocks aren't synchronized. Most authenticator apps and 2FA systems use TOTP.

What's a Base32 secret?

Base32 is the encoding standard used for OTP shared secrets — alphanumeric, uppercase, no easily-confused characters (no 0/O, 1/I/L). Authenticator apps display secrets as Base32 strings or QR codes encoding them. The secret is the only thing both client and server know; from it, both can compute the same OTP at the same moment.

Can I add this to Google Authenticator?

Yes — generate a random secret here, then in Google Authenticator (or any authenticator app) tap 'Add account' → 'Enter setup key' and paste the secret. Both this tool and the app will show the same code at the same time, proving they share the secret.

Is this the same algorithm as Google Authenticator?

Yes — RFC 6238 TOTP with HMAC-SHA1, 30-second period, 6-digit codes. Identical to Google Authenticator, Authy, 1Password, Microsoft Authenticator, and every other RFC-compliant TOTP app. Test it: paste a secret here and into Google Authenticator — you'll see the exact same 6-digit code.

Why do TOTP codes change every 30 seconds?

Because the time component of the HMAC input is the current Unix timestamp divided by 30 (the 'period'). Every 30 seconds, the timestamp moves into a new bucket and the HMAC output changes. The 30-second period is a tradeoff: short enough that intercepted codes have limited replay value, long enough that humans can read and type them.

What if my code doesn't match the server's?

Check three things: (1) the secret is exactly the same, including case (Base32 is case-insensitive in spec but some implementations are picky); (2) your system clock is correct (TOTP needs <30s skew); (3) you're using the right algorithm (SHA1 by default; some servers use SHA256 — they're not compatible).

Is my secret saved or sent anywhere?

No. Both the secret you paste and the codes generated stay in your browser. The HMAC computation runs locally in JavaScript using the otplib library. Nothing is uploaded, logged, or stored.

How do I generate a QR code for an authenticator app?

Use a QR Code Generator with the otpauth URI format: otpauth://totp/MyApp:alice@example.com?secret=YOUR_SECRET&issuer=MyApp. Authenticator apps scan that QR and add the entry. We don't render the QR here, but the Token Maker + a QR generator will get you there.

Ratings & Reviews

Rate this tool

Loading reviews…

What an OTP Generator Does

One-Time Passwords (OTP) are the 6-digit codes your authenticator app shows for two-factor authentication. They change every 30 seconds and are derived mathematically from a shared secret you scanned during setup. Google Authenticator, Authy, 1Password, Microsoft Authenticator — all of them implement the same RFC 6238 algorithm. The OTP Generator is a standalone implementation of that algorithm: paste any Base32 secret, get the same 6-digit code your authenticator app would show.

It's useful for testing 2FA flows you're building, debugging login failures (is the issue the code or the verification?), or generating a backup code when your phone is dead. It supports both TOTP (time-based, the common case) and HOTP (counter-based, used by some hardware tokens).

How the Microapp OTP Generator Works

Pick mode (TOTP or HOTP). Paste your Base32 secret — or click "Generate random" for a fresh one you can plug into your authenticator app to test. TOTP refreshes every 30 seconds with a countdown bar; the new code appears automatically when the period rolls. HOTP advances on demand: type the counter or click "+ Next" to bump it.

The HMAC computation runs in your browser using the otplib library. Your secret never leaves your machine — there's no server roundtrip, no logging, no analytics on what you paste. Open the page offline and it still works.

Worked example. Paste secret JBSWY3DPEHPK3PXP (a well-known test vector). At a fixed timestamp, the code is exactly the same as what Google Authenticator would show — try it: scan a QR with this secret in any authenticator, then open this tool and paste the secret. The two should display the same 6-digit code at the same moment, every 30 seconds, forever.

TOTP vs HOTP — Which You Have

If you scanned a QR code from a website (Google, GitHub, AWS, your bank, anywhere) into an authenticator app and the code refreshes every 30 seconds, you have TOTP. RFC 6238. Time-based. The counter input is literally the current Unix timestamp divided by 30. Synchronization between client and server requires both to have correct clocks (within ~30s of each other).

If you have a hardware token (YubiKey OTP, RSA SecurID classic, certain banking dongles) where the code changes when you press a button or insert the token, you have HOTP. RFC 4226. Counter-based. Both client and server keep a counter that increments on each successful login. If they fall out of sync (you press the button without logging in, the server resyncs by trying a few counter values ahead).

TOTP dominates because clocks are reliable, no physical token is needed, and resync isn't necessary. HOTP survives in legacy hardware-token deployments.

What's a Base32 Secret

The shared secret between you and the server is encoded as Base32 — uppercase A-Z plus digits 2-7. Why Base32 and not Base64? Because Base32 has no easily-confused characters (no 0/O, no 1/I/L) and is case-insensitive in spec, both of which matter when humans transcribe secrets by hand. Authenticator apps display the secret as a Base32 string under each entry's settings, and accept Base32 input when you type rather than scan.

Length is usually 16-32 characters. Longer secrets are slightly more entropy, but past 16 characters you're not adding meaningful security. The "Generate random" button in this tool produces 16-character secrets — same length Google Authenticator generates for new accounts.

Why Are TOTP Codes Six Digits?

Convention. RFC 6238 supports 6 or 8 digits; almost everyone uses 6. The reason is human-typing: 6 digits is short enough to memorize for the few seconds between reading and typing, while 7 random digits provides enough entropy that brute-forcing within the 30-second window is impractical (a million guesses across 30s = 33,000/sec, way above any login API's rate limit).

Some high-security systems use 8 digits. The math is the same; the user just types two more digits.

Common Pitfalls

Clock skew. If your computer's clock is more than 30 seconds off, your TOTP codes don't match the server's. Most servers tolerate 1-2 periods of drift (60s window) to handle this; beyond that, sync your clock (NTP, or just toggle automatic time on your OS).

Wrong algorithm. Default is HMAC-SHA1, which is what Google Authenticator and 99% of everything else uses. Some servers use HMAC-SHA256 or SHA512 — if your codes never match, check the server's algorithm requirement. They're not interoperable.

Wrong period. Default is 30 seconds. Some systems use 60. If the countdown doesn't match what your phone shows, the period is mismatched.

Lost secret. If you lose your authenticator app and don't have backup codes, you've locked yourself out. Always print or save the secret (or backup codes) when setting up 2FA.

Related Tools

For random secrets to use as TOTP shared secrets, the Token Maker can generate 32-character alphanumeric strings. To build a JWT token (a different kind of authentication token, structured rather than time-based), use the JWT Token Generator. For password hashing on the server-side equivalent of OTP verification, see Bcrypt Generator. To generate the QR codes that authenticator apps scan during setup, the QR Code Generator family is a starting point — though for OTP specifically you'd use the otpauth:// URI format.

OTP Generator

How to use

Related tools

Frequently asked questions

Ratings & Reviews

Rate this tool

What an OTP Generator Does

How the Microapp OTP Generator Works

TOTP vs HOTP — Which You Have

What's a Base32 Secret

Why Are TOTP Codes Six Digits?

Common Pitfalls

Related Tools