OTP code generator

Generate TOTP codes and otpauth URIs

All computation runs locally in your browser

Last updated: February 3, 2026

CreatorFrank Zhao

Secret

Issuer

Account

Period (sec)

Digits

One-time passwords

Current

Next in 29s

Enter a valid secret to generate the QR code.

Secret in hexadecimal

Epoch

Iteration

Count:

Padded hex:

Introduction / overview

The OTP Code Generator helps you create TOTP codes and an otpauth URI(the standard format authenticator apps understand). You can also generate a QR code that encodes that URI, making it easy to import into an authenticator.

What problems does it solve?

Verify that your backend TOTP implementation matches popular authenticator apps.
Generate a QR code to import a secret quickly (without manually typing it).
Troubleshoot mismatches caused by time drift, wrong digits, or a different period.

Who is this for?

Developers implementing 2FA and needing a quick sanity check.
IT and security teams validating provisioning URIs or QR code imports.
Power users migrating authenticator setups between devices.

For accuracy, this tool follows the standard TOTP approach (HOTP + time counter). If you want to inspect related cryptographic building blocks, you may also like our HMAC Generator, Hash Text, or Password Strength Analyser.

How to use / quick start guide

1Paste your Base32 secret into Secret. The tool normalizes input (trimming spaces and uppercasing).
2Set Issuer and Accountto control how the entry appears in authenticator apps.
3Choose Period and Digits. Most services use $\text{period}=30\ \mathrm{s}$ and $\text{digits}=6$ .
4Use Current as the code to type into your login form.Previous and Next help when clocks are slightly out of sync.
5Scan the QR code in your authenticator app, or copy the URI and open it in a new tab.

Example 1: Understanding the countdown

If your period is $X=30\ \mathrm{s}$ and the current Unix time is $t=1700000000\ \mathrm{s}$ , then the moving counter is:

C=\left\lfloor\dfrac{t}{X}\right\rfloor

=

\left\lfloor\dfrac{1700000000}{30}\right\rfloor

=

56666666

That counter changes every $30$ seconds, which is why your code updates on a timer.

Example 2: Why digits matter

After HMAC and truncation, you get a 31-bit integer (call it $S$ ). The final OTP is:

\mathrm{OTP}=S\bmod 10^d

=

987654321\bmod 10^6

=

654321

If your service expects $d=8$ but your app uses $d=6$ , your codes will never match.

Real-world examples / use cases

Backend implementation smoke test

Input: period $30$ , digits $6$ , plus the same secret your backend uses.

Result: your login server should accept the Current code. If it only accepts Previous, you likely have a time window shift.

Tip: if you also need to inspect the raw HMAC step, try the HMAC Generator.

Provisioning QR for an authenticator

Input: issuer (e.g. CalculatorVast) and account (e.g. demo-user) so the entry is recognizable on your phone.

Result: scan the QR code and confirm your app shows the same Current OTP.

Company-wide issuer naming policy

Input: issuer Acme Corp, account [email protected].

Result: your authenticator groups entries consistently; fewer support tickets about “which code is this?”.

Diagnosing a mismatch (digits/period/time)

Input: try both digits $6$ and $8$ , and a period of $30$ vs $60$ .

Result: once parameters match your service, your OTPs will align.

Security reminder: the secret is the “key” to your account’s TOTP. Treat it like a password—do not share it in screenshots, tickets, or public links.

Common scenarios / when to use

Adding TOTP to a new service

Generate the otpauth URI and scan the QR code.

Fixing “invalid code” errors

Check period, digits, and device time sync.

Copying codes quickly

Click Previous/Current/Next to copy instantly.

Auditing issuer/account labels

Prevent confusion inside authenticator apps.

Testing recovery flows

Confirm what happens when codes expire or rotate.

Debugging provisioning URLs

Copy the URI and compare query parameters.

When it might not be the right tool

If your service uses a non-standard algorithm (not SHA-1) or custom truncation rules.
If you need server-side verification or rate limiting—those belong in your backend.

Tips & best practices

Practical tips

Keep your device time accurate. A drift of even $\pm 30\ \mathrm{s}$ can push you into the Previous/Next window.
If codes don’t match, verify $X$ (period) and $d$ (digits) before assuming the secret is wrong.
Never paste real secrets into shared screen recordings or support tickets.
Use Issuer + Account consistently so you can identify entries quickly. This reduces the risk of typing the wrong OTP.

Want to evaluate secrets and passphrases more broadly? Pair this tool with the Password Strength Analyser, or use the BIP39 Passphrase Generator for seed phrase experiments.

Calculation method / formula explanation

TOTP is a time-based variant of HOTP. The main idea is to convert time into an integer counter and then apply HMAC.

1) Time counter

C = \left\lfloor\dfrac{t - T_0}{X}\right\rfloor

Here $t$ is Unix time in seconds, $X$ is the period (typically $30$ ), and $T_0$ is usually $0$ .

2) HMAC + dynamic truncation

A simplified view of the OTP step is:

S=\mathrm{Truncate}\big(\mathrm{HMAC}_{\mathrm{SHA1}}(K, C)\big)

,

\mathrm{OTP}=S\bmod 10^d

Where $K$ is the secret key and $d$ is the number of digits.

3) Zero padding

If $d=6$ , the OTP is formatted as a 6-digit string. That means values like $789$ become $000789$ .

Related concepts / background info

What is Base32?

Many TOTP secrets are stored as Base32 so they can be typed without symbols. Valid characters are usually letters A–Z and digits 2–7. If you see a “secret invalid” warning, it often means the pasted value contains spaces, lowercase letters, or the wrong alphabet.

What is an otpauth URI?

Authenticator apps commonly accept a provisioning URL that looks like:

otpauth://totp/Issuer:Account?secret=BASE32SECRET&issuer=Issuer&algorithm=SHA1&digits=6&period=30

The QR code shown by this calculator is simply an image encoding that URI.

If you need to validate other encodings, you may also like our Base64 String Encoder/Decoder.

Frequently asked questions (FAQs)

Why don’t my codes match my authenticator app?

The most common causes are mismatched $X$ (period), mismatched $d$ (digits), or device time drift.

Is it safe to share the “Copy URI” link?

Usually no. The URI contains the secret. If someone has it, they can generate valid OTP codes.

What does Previous / Next mean?

Those are OTPs for the adjacent time windows. If your service allows a time tolerance, it may accept codes from $C-1$ or $C+1$ .

Can I use 8-digit OTP codes?

Yes—if your service is configured for $d=8$ . Otherwise, stick to $d=6$ .

Does this calculator store my secret?

The calculator is designed to run locally in your browser. Still, you should treat secrets as sensitive and avoid using real production secrets on shared machines.

Limitations / disclaimers

This tool helps you generate and inspect OTP codes, but it does not replace proper 2FA setup, account recovery, or professional security guidance.
OTP correctness depends on accurate time. If the client device clock is wrong, codes will be wrong.
Do not use this tool to share secrets. If you must move secrets between devices, consider secure channels and your organization’s policy.

External references / sources

Related Calculators

Chronometer

Use a simple chronometer (stopwatch) to track elapsed time down to milliseconds. Runs locally in your browser.

Try Now

Email normalizer

Normalize email addresses to a standard format for easier comparison. Useful for deduplication and data cleaning. Runs locally in your browser.

Try Now

ETA calculator

Estimate the time needed to consume a total amount at a constant rate, and get an expected end time. Runs locally in your browser.

Try Now

JWT parser

Parse and decode your JSON Web Token (JWT) and display its content. All computation runs locally in your browser.

Try Now

MIME types

Know which file extensions are associated to a MIME type, and which MIME type is associated to a file extension. Includes a full MIME types table.

Try Now

Lorem ipsum generator

Generate random Lorem Ipsum placeholder text with customizable paragraphs, sentences, and word counts. Runs locally in your browser.

Try Now