Question 1

What is TOTP?

Accepted Answer

TOTP (Time-Based One-Time Password, RFC 6238) generates a 6-digit code that changes every 30 seconds. It is the algorithm behind authenticator apps like Google Authenticator, Authy, and Microsoft Authenticator. The code is derived from a shared secret and the current Unix timestamp.

Question 2

What is a TOTP secret?

Accepted Answer

The secret is a Base32-encoded random value shared between your server and the authenticator app. It is typically 16–32 characters of Base32 (A-Z, 2-7). This secret is encoded into the QR code you scan when setting up 2FA.

Question 3

What is the otpauth:// URI format?

Accepted Answer

otpauth://totp/Label?secret=SECRET&issuer=ISSUER&algorithm=SHA1&digits=6&period=30 — this URI is encoded into the QR code that authenticator apps scan. Label is the account name, issuer is the service name.

Question 4

Is it safe to use this tool for production secrets?

Accepted Answer

This tool generates TOTP codes client-side for testing purposes. For production, generate and store secrets server-side — never expose them in client-side code or logs. The secret shown here is for testing only.

Question 5

Why does the code change every 30 seconds?

Accepted Answer

TOTP uses HOTP with the time counter = floor(Unix timestamp / 30). Both the client and server compute the same code from the same secret and time window. Codes are accepted within ±1 window (90 seconds total) to account for clock drift.

Question 6

How does a TOTP code work?

Accepted Answer

TOTP (Time-based One-Time Password) generates a 6-digit code by combining your secret key with the current 30-second time window using HMAC-SHA1. Both your authenticator app and the server compute the same code independently — no network call required. Codes expire every 30 seconds, providing protection against replay attacks even if intercepted.

Question 7

How do I set up two-factor authentication?

Accepted Answer

Generate or enter your TOTP secret key above. Scan the QR code with an authenticator app (Google Authenticator, Authy, or any TOTP app) to register the secret. The app will then generate 30-second codes for login. On your server side, validate codes using a TOTP library. Use DevDecode's API Key Generator to create secure secret keys.

TOTP Generator — Free Online Time-Based OTP Code Generator

Frequently Asked Questions

How TOTP Two-Factor Authentication Works

Related Tools

PKCE Generator

OIDC Debugger

JWT Decoder

API Key Generator