🛝Toolio
All tools About Contact

🔐 TOTP / 2FA Code Generator -- Local, Private, No Server

This TOTP generator creates time-based one-time passwords (RFC 6238) entirely in your browser. Paste a Base32 secret key or an otpauth:// URI and the tool displays a live 6- or 8-digit code with a countdown to the next refresh -- no server, no account, no upload. Your secret never leaves your device.

Your secret key is computed entirely in your browser using WebCrypto. It is never sent to any server.

About

The tool uses the WebCrypto SubtleCrypto HMAC API built into every modern browser to compute TOTP codes following RFC 6238. Supported options include 6- or 8-digit codes, periods of 15, 30, or 60 seconds, and algorithms SHA-1, SHA-256, or SHA-512. It also accepts otpauth:// URIs -- the format embedded in 2FA QR codes -- and automatically parses the secret, digit count, period, and algorithm. Because all operations run inside the browser using WebCrypto, your secret key is never transmitted to any server, never stored in localStorage, and never visible to any third party. The page can be used fully offline after the first load. No registration, no cookies for tracking, no network calls related to your secret.

How to use

  1. Paste your Base32 secret key (letters A-Z and digits 2-7) into the input field. You can also paste a full otpauth:// URI from a QR code scanner.
  2. If you pasted an otpauth:// URI, the tool automatically fills in the digits, period, and algorithm from the URI and shows only the secret key in the input field.
  3. Optionally adjust the Digits (6 or 8), Period (15, 30, or 60 seconds), and Algorithm (SHA-1, SHA-256, SHA-512) to match your authenticator app's settings. Most apps use 6 digits, 30 seconds, SHA-1.
  4. Your live TOTP code appears instantly in large digits. The countdown ring shows how many seconds remain before the code refreshes. The ring turns red when 5 or fewer seconds remain.
  5. Click "Copy Code" to copy the current code to your clipboard, then paste it into the login form. The code auto-refreshes at each period boundary -- no need to click anything.

FAQ

Is my secret key ever sent to a server?
No. Everything is computed locally using the WebCrypto API built into your browser. Your secret never leaves your device and is not stored anywhere -- not in localStorage, not in cookies, not on any server.
What is a Base32 secret and where do I find it?
When you enable 2FA in an app or website, it shows a QR code and usually a text backup code in Base32 format -- uppercase letters A-Z and digits 2-7. That text string is your secret key. Keep it in a safe place and paste it here to generate codes.
Can I paste an otpauth:// URI directly?
Yes. Paste the full otpauth:// URI and the tool automatically extracts the secret, digit count, period, and algorithm. The URI format is what 2FA QR codes encode internally, so if your QR scanner can show the raw URI, you can paste it here.
Does the tool store my secret key anywhere?
No. The secret is held only in memory while the page is open. It is not written to localStorage, cookies, or any database. When you close or reload the page, the secret is gone. Only your option preferences (digits, period, algorithm) are saved for convenience.
Is this compatible with Google Authenticator, Authy, and Microsoft Authenticator?
Yes. All standard TOTP authenticator apps use the same RFC 6238 algorithm with SHA-1, 6 digits, and a 30-second period by default. This tool matches those defaults. For apps using non-standard settings, adjust the Digits, Period, or Algorithm options accordingly.