My Tools Garage

TOTP Secret Generator

Create random Base32 TOTP secrets and otpauth URIs.

in-browser

How to use

  1. 1 Enter an issuer name and an account label (such as an email).
  2. 2 Pick the secret size, algorithm, digit count and period, or keep the defaults.
  3. 3 Copy the Base32 secret into your authenticator app, or use the otpauth URI to make a QR code.
  4. 4 Click Regenerate any time you want a fresh secret.

About TOTP Secret Generator

The TOTP Secret Generator creates the shared secret that powers time-based one-time passwords — the rotating six-digit codes from apps like Google Authenticator, Authy, 1Password and Aegis.

When you add an account to such an app, it stores a secret key and combines it with the current time to derive each code, following RFC 6238.

This tool produces that secret as a cryptographically random sequence of bytes, encoded in RFC 4648 Base32 without padding, exactly as authenticator apps expect.

Beyond the raw secret, it assembles a complete otpauth:// provisioning URI containing your issuer, account label, algorithm, digit count and period.

You can paste that URI into a QR generator or your own backend so a user can scan and enrol in one step.

Sensible defaults are chosen for you — a 160-bit secret, SHA1, six digits and a thirty-second period — matching the widest compatibility across authenticator apps, while letting you switch to SHA256, SHA512, eight digits or longer secrets when your server supports them.

Crucially, the secret is generated with the Web Crypto API entirely inside your browser and never transmitted, logged or stored anywhere.

Click regenerate as many times as you like; each press draws fresh randomness.

Treat the result like a password: it is the single piece of data an attacker would need to clone the second factor.

FAQ

Is the generated secret cryptographically secure?

Yes. The bytes come from the browser Web Crypto API (crypto.getRandomValues), the same source used for keys and tokens, then are Base32-encoded for authenticator apps.

Which defaults should I use for maximum compatibility?

A 160-bit (20-byte) secret with SHA1, six digits and a 30-second period works with virtually every authenticator app. Only change these if your server explicitly supports the alternatives.

Does the secret leave my browser?

No. Generation is entirely client-side, so the secret and otpauth URI are never uploaded, logged or stored — they exist only on this page until you copy them.