What is a TOTP secret?

A TOTP secret is a shared random key, encoded in base32, that both your server and the user's authenticator app hold. Each app derives the same time-based 6-digit code from it using the RFC 6238 algorithm, so codes match without any network call.

Why base32 and not hex?

The TOTP standard and authenticator apps expect the secret in base32 because it uses only uppercase letters and digits 2 to 7, which are unambiguous to read and type manually. The otpauth URI also requires base32.

How long should the secret be?

RFC 4226 recommends at least 128 bits, and 160 bits (20 bytes) is common and matches the SHA-1 HMAC block. This tool defaults to 20 bytes, producing a 32-character base32 secret, which works with all mainstream apps.

Is the secret generated securely?

Yes. The random bytes come from crypto.getRandomValues, the browser's cryptographically secure RNG, and both the secret and QR code are built locally. Nothing is transmitted, so treat the secret as a live credential.

What goes in the otpauth URI?

The URI follows otpauth://totp/Issuer:label?secret=BASE32&issuer=Issuer&algorithm=SHA1&digits=6&period=30. Authenticator apps parse it from the QR code to provision the account with the correct parameters automatically.

TOTP Secret Generator

A TOTP secret is the shared key behind every time-based one-time password. When a user enables two-factor authentication, your server generates a random secret, encodes it in base32, and shows it to the user as a QR code. Their authenticator app — Google Authenticator, Authy, 1Password, Microsoft Authenticator — stores that secret and, every 30 seconds, derives a 6-digit code from it using the RFC 6238 algorithm. Because both sides hold the same secret and use the same clock, the codes match without any messages crossing the network. This tool generates a compliant secret, the otpauth:// enrollment URI, and a scannable QR code, all locally.

How it works

The generator produces a fresh secret and packages it for an authenticator app:

Draw 20 random bytes (160 bits) from crypto.getRandomValues.
Encode those bytes in base32 (RFC 4648 alphabet A-Z2-7), the format every authenticator expects.
Build the standard enrollment URI: otpauth://totp/Issuer:label?secret=...&issuer=...&algorithm=SHA1&digits=6&period=30.
Render that URI as a QR code so the app can be enrolled with one scan.

At verification time the app and your server independently compute HOTP(secret, floor(unixTime / 30)) and truncate to 6 digits. No secret travels over the wire after enrollment.

Notes and best practices

Store the secret encrypted at rest, tied to the user account; you need it to verify every future code.
The default parameters — SHA-1, 6 digits, 30-second period — are the universally supported defaults; only change them if every client you support agrees.
A secret of 160 bits is the conventional size and matches the SHA-1 HMAC block length.
Everything runs in your browser, so the secret never touches a server during generation. Treat the displayed value as a live credential and clear the screen once enrollment is complete.