Is my secret key safe?

Yes. This tool runs entirely in your browser. Your TOTP secret is never sent to any server, logged, or stored. You can disconnect from the internet and it will still generate codes correctly.

TOTP (Time-based One-Time Password) is an algorithm defined in RFC 6238 that generates a short numeric code using a shared secret key and the current time. The code changes every 30 seconds and is used for two-factor authentication (2FA).

TOTP Generator — GlintKit

Q: Is this compatible with Google Authenticator and Authy?

Yes. This generator uses the standard HMAC-SHA1 TOTP algorithm (RFC 6238) with 6-digit codes and 30-second periods — the same parameters used by Google Authenticator, Authy, Microsoft Authenticator, and most other 2FA apps.

shield100% local — key never transmitted

Secret Key

Base32 encoded secret from your authenticator setup (e.g. JBSWY3DPEHPK3PXP)

Digits

Period

— — —

Click code to copy

Enter a secret key to start

Next code

Code in —s — — —

How TOTP Works

You and the server share a secret key (base32 encoded string). This is exchanged once during setup, usually by scanning a QR code.

The current Unix time is divided into 30-second windows: T = floor(unixtime / 30). This value is the same for both you and the server at the same moment.

An HMAC-SHA1 hash is computed over T using the secret key. The hash is truncated to extract a 6–8 digit number — this is your OTP.

The server performs the same calculation and compares the result. If they match (allowing ±1 window for clock skew), the login is approved.

Frequently Asked Questions

Yes. This tool uses only browser-local JavaScript — no network requests are made after the page loads. Your TOTP secret is never sent to any server, logged, or stored in any way. You can disconnect from the internet and the tool will continue to work correctly.

TOTP (Time-based One-Time Password) is an algorithm defined in RFC 6238. It generates a short numeric code from a shared secret key and the current time. The code rotates every 30 seconds and is used for two-factor authentication. Both the app and the server compute the same code independently — no communication is needed at authentication time.

Yes. This generator implements the standard RFC 6238 TOTP algorithm with HMAC-SHA1, 6-digit codes, and 30-second periods — the same parameters used by Google Authenticator, Authy, Microsoft Authenticator, Bitwarden, 1Password, and virtually all other 2FA apps and services.

TOTP Generator

Frequently Asked Questions

About the TOTP Generator

Related Tools