Bugster Logo
LOG INSTART TESTINGicon
Explore More
Documentation icon
DocumentationComprehensive guides and
tutorials available.
Blog icon
BlogLatest insights and updates from
our team.
Join Our Community
Discord community icon
DiscordJoin our informative sessions
and follow our last updates.
Newsletter subscription icon
NewsletterSubscribe for updates and
exclusive offers and material.
🔐

TOTP Generator — Free Online 2FA Code Generator

Generate and verify time-based one-time passwords for two-factor authentication testing. Enter a secret key or generate one to see live TOTP codes.

Current TOTP Code

------

Refreshes in 0s

How TOTP is Calculated (RFC 6238)

  1. Decode the secret — The Base32-encoded secret key is decoded into raw bytes.
  2. Compute the counter — Current Unix time is divided by the interval (30s) to produce a time-step counter.
  3. HMAC-SHA1 — The counter is converted to an 8-byte big-endian value and signed with the secret using HMAC-SHA1.
  4. Dynamic truncation — A 4-byte segment is extracted from the HMAC result using an offset derived from the last byte.
  5. Modulo — The truncated value is reduced modulo 10^6 and zero-padded to 6 digits.

How to Use This TOTP Generator

  1. Enter or generate a secret key — Paste the Base32-encoded secret from your 2FA setup, or click “Generate Random Secret” to create a new one for testing.
  2. Configure the parameters — Choose a time interval (30, 60, or 90 seconds) and the number of digits (6 or 8) to match your service's TOTP settings.
  3. Watch the live code — The current TOTP code updates automatically. The countdown bar shows how many seconds remain before the next code is generated.
  4. Copy and verify — Copy the code with one click and use it to verify your server-side implementation or test your login flow.

What is a TOTP Generator?

A TOTP generator is a tool that creates time-based one-time passwords following the RFC 6238 standard. These short-lived numeric codes are the backbone of most two-factor authentication (2FA) systems used by services like Google, GitHub, AWS, and thousands of other platforms. Each code is derived from a shared secret key and the current time, making it valid for only a brief window.

Developers building or integrating 2FA need a reliable way to verify that their server-side implementation produces the correct codes. This online TOTP generator lets you test against a known secret without installing a mobile authenticator app. You can compare the codes generated here with those from your backend to confirm they match, debug clock-synchronization issues, and validate edge cases like different time intervals or digit lengths.

QA engineers use TOTP generators during end-to-end testing of login flows that require two-factor authentication. Rather than scanning QR codes on a phone for every test run, you can extract the secret key and feed it directly into this tool or your automated test scripts. This approach speeds up test cycles and makes 2FA tests fully reproducible in CI/CD pipelines.

The algorithm itself is straightforward: divide the current Unix timestamp by the chosen interval to get a counter, compute an HMAC-SHA1 of that counter using the secret key, and dynamically truncate the result to produce a 6- or 8-digit code. This tool performs every step in your browser using the Web Crypto API—your secret key never leaves your device.

Frequently Asked Questions

What is TOTP?

TOTP stands for Time-based One-Time Password. It is a widely adopted algorithm defined in RFC 6238 that generates short-lived numeric codes from a shared secret key and the current time. Apps like Google Authenticator, Authy, and Microsoft Authenticator use TOTP to provide an extra layer of login security beyond passwords.

How does TOTP work?

TOTP works by combining a secret key (shared between the server and your authenticator app) with the current Unix timestamp divided by a time interval (usually 30 seconds). This value is fed into an HMAC-SHA1 function, and the result is dynamically truncated to produce a 6- or 8-digit code. Because both sides know the secret and the current time, they independently arrive at the same code without any network communication.

Is TOTP the same as 2FA?

Not exactly. Two-factor authentication (2FA) is the broader concept of requiring two different types of credentials to log in—typically something you know (password) and something you have (a device). TOTP is one specific method used to implement 2FA. Other 2FA methods include SMS codes, hardware security keys (FIDO2/WebAuthn), and push notifications.

What apps support TOTP?

Most major authenticator apps support TOTP, including Google Authenticator, Microsoft Authenticator, Authy, 1Password, Bitwarden, and FreeOTP. Any service that displays a QR code or provides a Base32 secret during 2FA setup is using the TOTP standard, which means it works with any compliant app.

How long is a TOTP code valid?

By default, a TOTP code is valid for one time interval—typically 30 seconds. Most services accept codes from the immediately previous and next intervals as well to account for clock drift between the server and authenticator. This tool lets you experiment with 30-, 60-, and 90-second intervals.

Can I test my 2FA setup with this tool?

Yes. Enter the Base32 secret key from your service’s 2FA setup page into this generator. The codes produced here should match the ones shown in your authenticator app. This is useful for verifying that your server-side TOTP implementation generates the same codes, debugging clock-sync issues, and ensuring your enrollment flow works correctly.

Related Tools

Email Address GeneratorTimestamp ConverterUUID GeneratorUSA Address Generator