Secure OTP Generator Tool

Generate TOTP or HOTP test codes with secret, algorithm, digits, period, counter, QR, and diagnostic outputs.

Setup
Configure secret, mode, and issuer/account details

OTP Input

Enter a Base32 secret (minimum 26 chars / 128-bit). Generated secrets use 32 chars (160-bit).
Import/export app setup strings for QA and integration debugging.
Scan with your authenticator app to test this configuration.
Result
Current/next codes, drift preview, and verification snippets

OTP Output

Window Counter Code
No drift data yet.
Verification status will appear here.

Try These Related Tools
Secure Cookie Tester
Chmod Permissions Calculator
CSR Generator
RSA Key Generator Tool
Password Strength
security.txt Generator
HSTS Tester

Generate OTP codes for TOTP and HOTP testing without leaving the browser

This OTP generator is designed for real 2FA and MFA testing workflows, not just for producing a random six-digit string. The page lets you work with a Base32 secret, choose TOTP or HOTP mode, select the algorithm, and control digits and period before it calculates the codes and related diagnostics.

That makes it useful for QA engineers, developers, security teams, and support staff who need to verify authenticator app setup, check provisioning details, or reproduce a time-based token sequence during troubleshooting.

Key Features

  • Base32 secret input with guidance on minimum secret length.
  • TOTP and HOTP modes on the same page.
  • Algorithm selection for SHA-1, SHA-256, and SHA-512.
  • Digit and period controls, plus HOTP counter support.
  • Outputs previous, current, and next OTP values along with QR and diagnostic data.

Use Cases

The page is strongest when you need to test an authenticator configuration end to end instead of only generating a standalone code. To extend the workflow after the initial result, pair it with Bip39 Generator when that next step matches your job.

  • Verify a TOTP setup before releasing a login flow.
  • Reproduce HOTP counter behavior in support or QA scenarios.
  • Check issuer and account naming before generating or scanning a provisioning QR code.
  • Compare expected token windows when troubleshooting clock drift or validation failures.

How To Use

  1. Enter a Base32 secret or use a generated secret, then optionally fill issuer and account name so the configuration is easier to identify.
  2. Choose TOTP or HOTP depending on the system you are testing.
  3. Select the hash algorithm, token length, and period; for HOTP, set the counter value as well.
  4. Review the returned OTP values, QR code, secret in hex, epoch, and iteration details to confirm the configuration behaves the way you expect.

If you need a second validation step after the first run, compare the output with JSON Compare so you can keep the workflow inside the same browser session.

How It Works

For TOTP, the generator combines the shared secret with the current time window to calculate a code that rotates on the chosen period. For HOTP, it uses a counter instead of time so each new token advances with the counter value rather than a clock tick.

The surrounding diagnostics make the page more than a simple code generator. Previous, current, and next values help you test boundaries, while the QR and secret representations help validate provisioning and implementation details in a way that matches real-world authenticator workflows.

Examples

Test a standard 30-second TOTP flow

A QA engineer can enter a Base32 secret, keep the page on TOTP, choose six digits and a 30-second period, and confirm that the current code matches the value shown in an authenticator app during the same time window.

Reproduce an HOTP support issue

If a hardware token or integration uses HOTP, support can set the counter manually, compare expected and actual values, and verify whether a counter mismatch explains failed authentication attempts.

Edge Cases & Troubleshooting

  • Use test secrets, not production account secrets, unless your process explicitly permits it.
  • If a TOTP code does not match another system, check clock drift and time-window alignment before changing algorithms.
  • Issuer and account names are presentation details for provisioning; they do not replace the secret itself.
  • A malformed or short Base32 secret will create invalid results, so verify the secret format first.
  • For HOTP, remember that counter mismatches are a common source of false failures.

FAQ

What is the difference between TOTP and HOTP?

TOTP is time-based and changes every period window, while HOTP is counter-based and advances when the counter changes.

Why does the page show previous, current, and next OTP values?

Those extra values help with boundary testing, validation windows, and support scenarios where you need to understand whether the failure is caused by timing or configuration.

Can I scan the QR code with an authenticator app?

Yes. The page includes a QR code so you can test the generated configuration with an authenticator app during setup and QA.

How long should the secret be?

The page guidance notes a minimum Base32 secret length and also explains the length used for generated secrets. In practice, stronger shared secrets make testing and implementation safer.

Next Steps / Related Workflows

After the token output looks correct, the usual next step is validating the same configuration inside your app, your identity provider, or the provisioning path you are testing. If you are continuing the same task, Gitignore Generator is a natural follow-up because it keeps the context close to the result you already have.

It’s OK to figure out murder mysteries, but you shouldn’t need to figure out code. You should be able to read it.

Steve McConnell

CodersTool Categories
Data & Format
Data & Format Tools
Encode Decode Tools
Base64 Tools
Unicode UTF Tools
Text Tools
Database Tools
Developer
Developer Tools
Code Editor Tools
Database Tools
Test Data Tools
Dev Calculators
Web & Markup
Site Diagnostics
Meta & Schema Tools
Network & Security
Network Tools
Security Tools
Encryption Tools
Reference
Cheat Sheets
Blog