TOTP authenticator codes
ClientTime-based one-time passwords (RFC 6238) extend HOTP (RFC 4226) with a time counter. This page derives codes with HMAC-SHA1 and dynamic truncation—the defaults expected by most authenticator apps—then builds an otpauth://totp/… URI for enrollment.
Related utilities
Secrets are often distributed as Base32—compare with the Base32 encoder. For OAuth flows that pair with MFA, use PKCE for public clients and JWT decode to inspect bearer tokens afterward.
?
RFC 6238: counter = floor((now − t0) / period); HOTP-SHA1 with dynamic truncation (RFC 4226). Google Authenticator and most apps use SHA-1, 30s, and 6 digits by default.
— — — — — —
Authenticator URI (otpauth://)
Issuer and label are only for QR enrollment—they do not change the numeric code if the secret and parameters match.
Common use cases
- Verify that a manually entered Base32 secret matches what your IdP or CLI printed before you burn a QR code.
- Compare Toolcore output against another authenticator when debugging clock skew or period mismatches (15s vs 30s).
- Generate a fresh secret and otpauth URI locally when prototyping MFA flows—pair with PKCE or JWT inspection tools during OAuth work.
- Teach students how TOTP counter maps to Unix time steps without running server code.
Common mistakes to avoid
Mixing up encoding-base32 and Crockford
Authenticator secrets are standard RFC 4648 Base32 (alphabet A–Z2–7). Crockford avoids ambiguous letters—decode with the same alphabet your issuer used.
Assuming SHA-256 without checking the issuer
This page uses SHA-1 for broad app compatibility (Google Authenticator default). If your server expects another algorithm, codes will not match.
Pasting production secrets on a shared machine
Processing is local, but shoulder surfing and clipboard managers still leak—use throwaway secrets for demos.
FAQ
Does Toolcore store my secret?
No. The secret and HMAC run entirely in your browser; closing the tab discards state unless your browser restores it.
Why does my code disagree with my phone?
Check period (15/30/60), digits (6 vs 8), correct Base32 secret, and that both devices have accurate time. Small skew is normal near step boundaries.
Can I prefill the secret from a link?
Yes—use ?q= or ?qb= with the Base32 text, same as other Toolcore tools for agents and bookmarks.
Common search terms
Phrases people search for that match this tool. See the full long-tail keyword index.
- totp generator online rfc 6238
- google authenticator secret base32 browser
- otpauth uri qr code local
- hotp sha1 time based one time password
More tools
Related utilities you can open in another tab—mostly client-side.
OAuth PKCE generator
ClientRFC 7636 code_verifier plus S256 code_challenge (SHA-256, base64url)—Web Crypto in your tab, no upload.
Base32 encode & decode
ClientRFC 4648 Base32 for UTF-8 text—A–Z234567 alphabet with padding; encode or decode in the browser.
JWT decode
ClientInspect JWT header and payload as JSON in browser; signature not verified.
Random string generator
ClientRandom alphanumeric, hex, Base64 URL-safe, or custom tokens—entropy hint, local only.