Skip to content
Kordu Tools Kordu Tools

TOTP Code Generator

Runs in browser

Generate live TOTP (2FA) codes from any base32 secret key. Supports 6 and 8 digit codes with 30 or 60 second periods.

Last updated 08 Apr 2026

Enter a base32 TOTP secret key to generate live time-based one-time passwords (RFC 6238). The code refreshes automatically every 30 or 60 seconds with a countdown timer. Supports 6 and 8 digit codes. Runs entirely in your browser using the Web Crypto API — your secret never leaves your device.

Enter a valid base32 secret above

TOTP (Time-based One-Time Password, RFC 6238) generates a 6-digit code that changes every 30 seconds.

The demo secret JBSWY3DPEHPK3PXP is a well-known test vector. Replace it with your actual 2FA secret key from your app's QR code setup.

Never share your real TOTP secret with anyone.
Loading rating…

How to use

  1. 1

    Get your TOTP secret

    When setting up 2FA on any site, look for a 'Can't scan QR code?' or 'Enter manually' option. Copy the base32 secret key shown there.

  2. 2

    Enter the secret

    Paste the base32 secret key into the input field. Remove any spaces — the tool accepts raw base32.

  3. 3

    Copy the code

    The current TOTP code appears instantly. Click Copy code or click the code directly. Watch the countdown — the code refreshes every 30 or 60 seconds.

Frequently asked questions

What is TOTP?
TOTP (Time-based One-Time Password) is an algorithm defined in RFC 6238 that generates a short, time-limited numeric code from a shared secret key. It is the basis for most authenticator apps — Google Authenticator, Authy, 1Password, Bitwarden, and others all implement TOTP. The code is only valid for one time window (typically 30 seconds), so even if intercepted it cannot be reused.
Where do I find my TOTP secret?
When adding a new account to an authenticator app, most services offer a manual entry option alongside the QR code. This shows the base32 secret key — usually 16 to 32 characters from A-Z and 2-7. You can also export secrets from Authy, 1Password, or Bitwarden if you need to migrate or debug.
Is this safe to use with real account secrets?
The tool generates codes entirely in your browser using the Web Crypto API. No data is sent to any server. However, you should treat your TOTP secret with the same care as a password — anyone with the secret can generate valid codes forever. Only use this tool on a trusted device.
Why does my code not match my authenticator app?
The most common cause is a clock difference. TOTP relies on both devices having the same time. Check that your device's clock is accurate (Network Time Protocol sync is automatic on most devices). Also verify that you have selected the correct period (30 or 60 seconds) and digit count (6 or 8) matching the service's requirements.
Is my secret sent anywhere?
No. All computation runs in your browser using the Web Crypto API (SubtleCrypto). Your secret never leaves your device.

The Kordu TOTP Code Generator produces live time-based one-time passwords

from any base32 TOTP secret key. Enter the secret from your authenticator

app's QR code setup flow (usually shown as a base32 string when you click

"Can't scan QR code?") and the tool shows the current valid code with a

countdown to the next refresh.

Codes are generated using RFC 6238 (TOTP) built on top of RFC 4226 (HOTP):

HMAC-SHA1 of the secret and the current 30-second time window, truncated to

6 or 8 digits. The Web Crypto API handles all cryptographic operations

locally in your browser — your secret is never sent to any server.

**Supported options:**

- 6-digit codes (most common — Google, GitHub, Stripe, etc.)

- 8-digit codes (some enterprise and banking systems)

- 30-second period (standard)

- 60-second period (less common)

A live countdown bar shows how many seconds remain before the code rotates.

The code turns amber at 10 seconds and red at 5 seconds as a warning.

Common uses: testing 2FA implementation, generating backup codes during

account recovery, verifying TOTP secrets, and understanding how authenticator

apps work.

**Security note:** Only enter secrets for accounts you control. Never share

your TOTP secret with anyone — it grants permanent access to generate valid

codes for your account.

All computation runs client-side using the Web Crypto API. Nothing is

uploaded or stored.

Related tools

Password Generator

Generate cryptographically secure passwords with custom length (8–128), character sets, entropy display, and exclude-ambiguous option. Runs in your browser.

Password Strength Meter

Test how strong your password is — entropy, crack time estimate, and a detailed requirements checklist.

Base64 Encoder/Decoder

Encode text or files to Base64 or decode Base64 strings back to plain text — real-time, fully in your browser.