Why are my TOTP codes wrong?

Common causes: wrong Base32 secret encoding, clock skew between client and server, wrong algorithm (SHA1 is default), or wrong period/digit settings.

Is it safe to enter my TOTP secret here?

This tool runs entirely in your browser. No data is sent to any server. For testing, use dedicated test secrets, not production ones.

TOTP Code Generator

Generate time-based one-time passwords from a secret key. Useful for debugging 2FA authentication flows.

Privacy: All calculations run entirely in your browser. No data is sent to any server.

Secret Key (Base32)

Period (seconds)

Digits

Algorithm

What is TOTP?

TOTP (Time-based One-Time Password) is an algorithm defined in RFC 6238 that generates short-lived codes from a shared secret key and the current time. It's the standard behind authenticator apps like Google Authenticator, Authy, and 1Password. Codes typically change every 30 seconds and are 6 digits long.

How TOTP Works

The algorithm: 1) Divide current Unix time by the period (usually 30s) to get a counter. 2) HMAC-SHA1 the counter with the shared secret. 3) Truncate the result to a 6-8 digit number. Both server and client independently compute the same code because they share the secret and use the same time.

// otpauth:// URI format (used in QR codes)
otpauth://totp/Example:[email protected]
  ?secret=JBSWY3DPEHPK3PXP
  &issuer=Example
  &algorithm=SHA1
  &digits=6
  &period=30

Debugging 2FA Flows

Use this tool to: verify your TOTP implementation generates correct codes, test with known secret keys during development, check if time drift is causing code rejection. Make sure your server allows a ±1 window (accepts the previous and next code) to handle clock skew.

Frequently Asked Questions

Why are my TOTP codes wrong?: Common causes: wrong secret key encoding (must be Base32), clock skew between client and server (keep clocks synced with NTP), wrong algorithm (SHA1 is default, not SHA256), or wrong period/digit settings.
Is it safe to enter my TOTP secret here?: This tool runs entirely in your browser — no data is sent to any server. However, treat your TOTP secrets like passwords. For testing, use dedicated test secrets, not production ones.

Related Tools

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from text.

UUID Generator

Generate random UUIDs (v4) in bulk with one click.

Unix Timestamp Converter

Convert between Unix timestamps and human-readable dates.

OTP QR Code Decoder

Decode OTP QR codes to inspect otpauth:// URI parameters like issuer, secret, and algorithm.