DevToys Web Pro

free web developer tools

Blog
Rate us:
Try browser extension:

OTP Generator (TOTP/HOTP)

Configuration

  • ModeChoose between Time-based (TOTP) or Counter-based (HOTP)
  • AlgorithmHash algorithm for OTP generation
  • DigitsNumber of digits in the OTP code
  • PeriodTime interval for TOTP code validity

Secret Key

    • Generated Code

    • ------

    QR Code Settings

    Verify code

    Check if a code is valid for the current secret

    OTP Auth URI

    • Use this URI or scan the QR code to add this account to an authenticator app

    Technical details

    How the OTP Generator Works

    What the Tool Does

    This OTP generator creates Time-based One-Time Passwords (TOTP) and HMAC-based One-Time Passwords (HOTP) compatible with Google Authenticator, Authy, and other 2FA apps. Enter or generate a Base32 secret key, and the tool will produce 6-8 digit codes that change every 30 or 60 seconds for TOTP, or increment with a counter for HOTP. All calculations run locally in your browser using the Web Crypto API, so your secret never leaves your device.

    Common Developer Use Cases

    Developers use an online TOTP generator to test two-factor authentication implementations, verify that their OTP libraries produce correct codes, and debug authentication flows. When building a 2FA system, you can use this tool to generate test secrets, validate your server-side TOTP implementation, and ensure time synchronization is correct. It also helps QA teams verify 2FA workflows without installing authenticator apps on their devices.

    Data Formats and Standards

    The OTP tool implements RFC 6238 (TOTP) and RFC 4226 (HOTP) standards. Secret keys use Base32 encoding, which is the standard format for authenticator apps. The tool supports SHA-1 (default, most compatible), SHA-256, and SHA-512 hash algorithms. Output codes can be 6, 7, or 8 digits, with 6 being the most common. The OTP Auth URI format (otpauth://totp/...) is compatible with Google Authenticator and similar apps.

    Common Pitfalls and Edge Cases

    TOTP codes are extremely time-sensitive. If your server and client clocks are out of sync by more than 30 seconds, authentication will fail. Most implementations allow a window of 1-2 time steps to handle minor drift. SHA-1 is the most widely supported algorithm; some older authenticator apps may not support SHA-256 or SHA-512. Ensure your secret key is properly Base32 encoded—invalid characters will cause decoding errors.

    When to Use This Tool vs Code

    Use this OTP generator for testing, debugging, and verifying your 2FA implementation during development. For production systems, generate and verify OTP codes on your server using established libraries like pyotp (Python), speakeasy (Node.js), or GoogleAuthenticator (various languages). Never expose secret keys in client-side code. This tool is ideal for development workflows, but your application should handle OTP verification server-side.