Skip to content
Marvin's Toolbox.

Search tools

Type to filter all tools

TOTP Code Generator

Paste a 2FA secret or an otpauth:// link and watch the one-time codes tick live, with a countdown to the next code. Supports the digit counts, periods and algorithms real authenticators use.

Everything runs locally in your browser. Your data never leaves your device.

Spaces, lowercase and missing padding are all fine. An otpauth link fills in the settings for you.

Settings

Algorithm
Digits
seconds
seconds

Shifts the clock, e.g. -30 shows the codes of half a minute ago.

No secret yet
Paste a Base32 secret or an otpauth link above, or try the sample, and the codes start ticking here.

About the TOTP Code Generator

This tool turns a 2FA secret into the six digit codes your authenticator app would show, live. Paste the Base32 secret from a setup screen, or a full otpauth:// link, and the current code appears with a countdown ring to the next rotation. The previous and next codes sit alongside, dimmed, the same tolerance window real authenticators use for clock drift.

Everything real services vary is adjustable: SHA-1, SHA-256 or SHA-512, 6 to 8 digits, and any period. A pasted link fills those settings in for you and shows the account and issuer it belongs to. A counter based HOTP mode covers the rare services that still use it.

What you can do

  • Generate the current TOTP code from a Base32 secret.
  • Read an otpauth link and show its account, issuer and settings.
  • Watch codes rotate live with a countdown to the next one.
  • Copy the current code with one click.
  • Generate 8 digit or SHA-256 codes for services that use them.
  • Compute HOTP codes from a counter.
  • Check whether a secret is valid Base32.

How to use the TOTP Code Generator

  1. 1Paste the secret from the 2FA setup screen, or the whole otpauth link. Spaces, lowercase and missing padding are fine.
  2. 2If you pasted a bare secret, check the settings. Almost every service uses the defaults of SHA-1, 6 digits and 30 seconds.
  3. 3Read the current code and click it to copy. The ring counts down to the next rotation, and the previous and next codes wait beside it.
  4. 4For an HOTP service, switch to counter mode and advance the counter each time you use a code.

Where the secret comes from

When a website offers an authenticator app for 2FA, it shows a QR code and usually a can't scan it? fallback with the secret spelled out, a Base32 string like JBSW Y3DP EHPK 3PXP. That string is what this tool takes. The QR code itself just wraps an otpauth:// link carrying the same secret plus the settings, so if you have that link from a backup or a password manager export, paste it whole and nothing needs configuring by hand.

To enroll a phone from an otpauth link you already have, turn the link back into a scannable image with the QR Code Generator.

How the codes are computed

TOTP is standardized in RFC 6238: the Unix time is divided into 30 second steps, the step number is signed with the secret using HMAC, and a few digits of the result become the code. Both sides compute the same code because they share the secret and the clock. This implementation passes the official RFC test vectors for SHA-1, SHA-256 and SHA-512.

The dimmed neighbours exist because clocks drift. Most services accept the previous code for a short while after a rotation, so a code typed just too late usually still works. The time offset setting in the tool shifts the clock on purpose, useful when checking how a server handles drift.

A debugging tool, not an authenticator

The tool computes exactly what an authenticator app would, which makes it handy for testing a TOTP integration, checking a stored secret before deleting it, or generating a code when your phone is not at hand. It is not a replacement for an authenticator app, so keep your 2FA secrets enrolled in one, or in a password manager that generates codes.

Verify a checksum online: drop a file, paste the expected checksum and see instantly whether they match. The hash type is detected from the checksum itself, covering MD5, SHA-1, SHA-256, SHA-512, BLAKE3, CRC-32 and more, and sha256sum lines or whole checksum files can be pasted as-is.

Hash text or a file with MD5, SHA-1, SHA-256, SHA-512, SHA-3, BLAKE2, BLAKE3, CRC32 and more, all computed live as you type. Compare against an expected checksum and copy any digest.

Paste a JSON Web Token to see its header and payload as formatted JSON, with the token color coded so each part maps to its output. Explains the registered claims, shows expiry as readable dates, flags expired tokens and can verify the signature with a secret or public key.

Generate strong random passwords with full control over length, character sets, symbols and ambiguous characters, or build word-based passphrases. Shows the entropy and a crack time estimate for every result, and can produce a whole batch at once.

Paste a PEM certificate to see its subject, issuer, validity dates, subject alternative names, key details, fingerprints and extensions in plain view.