Next-Gen App & Browser Testing Cloud
Trusted by 2 Mn+ QAs & Devs to accelerate their release cycles

Generate TOTP (Time-based One-Time Password) codes from your secret key for services like Google, Facebook, Instagram, and others, fully in your browser.
Enter the 2FA secret key from the service you want to use. Spaces and formatting will be cleaned automatically.
Used only to label the QR code so your authenticator app shows a recognizable name.
Your secret key is never stored on our servers and is only processed on your device.
Two-factor authentication (2FA) adds a second step to logging in: after your password, a service asks for a short, frequently-changing code. This tool turns the Base32 secret key a service gives you into that code, a Time-based One-Time Password (TOTP), exactly like an authenticator app such as Google Authenticator, Microsoft Authenticator or Authy. Everything is computed locally in your browser using the Web Crypto API, so your secret never leaves your device.
Both are one-time password algorithms from the same family, but they differ in what drives the code. This tool generates either; the table shows when to pick each.
| Aspect | TOTP (time-based) | HOTP (counter-based) |
|---|---|---|
| Moving factor | The current time divided by the period | A counter that increments per use |
| When the code changes | Automatically every period (usually 30s) | Only when the counter advances |
| Needs an accurate clock | Yes, client and server clocks must agree | No, but the counters must stay in sync |
| Standard | RFC 6238 | RFC 4226 |
| Typical use | Most app and website logins | Hardware tokens and some legacy systems |
The generator is handy whenever you need a one-time code without your phone, and it pairs with the other free security tools from TestMu AI.
A 2FA code generator turns a service’s Base32 secret key into a Time-based One-Time Password (TOTP), the same 6-digit code an authenticator app shows. The code changes every 30 seconds and is used as the second factor when logging in.
Your secret key never leaves your device. All HMAC and code generation happens locally in your browser using the Web Crypto API. Recent keys are kept only in your browser’s local storage.
When a service shows a QR code to set up 2FA, look for a “can’t scan the code?” or “enter key manually” option that reveals a Base32 secret (letters A–Z and digits 2–7). Paste that here, spaces and formatting are cleaned automatically.
Most services use the defaults: SHA-1, 6 digits and a 30-second period. Some use SHA-256/SHA-512, 7–8 digits, or a 60-second period. If a code is rejected, confirm these settings match what your service expects.
TOTP (time-based) derives the code from the current time, so it changes automatically every period. HOTP (counter-based) derives the code from a counter value that increments each time a code is used. This tool supports both.
The most common cause is an incorrect device clock, TOTP relies on accurate time. Make sure your system clock is synced. Also verify the algorithm, digit count and period match the service’s settings, and that you pasted the full secret key.
Yes. After you generate a code, a QR code that encodes the otpauth URI appears. Scan it with Google Authenticator, Authy, or any compatible app to add the account to your phone without typing the secret.
No. Treat this tool as a convenience for testing and recovery, not a vault. Keep your secrets in a dedicated authenticator app or password manager, and store backup codes somewhere safe.
Did you find this page helpful?
TestMu AI forEnterprise
Get access to solutions built on Enterprise
grade security, privacy, & compliance