TOTP QR Code Generator
Build an otpauth:// QR code for Google Authenticator, 1Password, Authy and friends. Secret generated locally.
Quick answer: Build an otpauth:// QR code for Google Authenticator, 1Password, Authy and friends. Secret generated locally.
Last updated
Frequently asked questions
- What is TOTP?
- Time-based One-Time Password — the 6-digit code that rotates every 30 seconds in apps like Google Authenticator. It's defined in RFC 6238 and is the de-facto standard for app-based 2FA.
- Which apps can scan this QR code?
- Any standards-compliant TOTP app: Google Authenticator, Microsoft Authenticator, 1Password, Authy, Aegis (Android), Raivo (iOS), Bitwarden, KeePassXC, ente Auth, and many more.
- Is the secret sent to your server?
- No. The secret is generated locally with crypto.getRandomValues(), and the QR code is rendered locally by the qrcode library (loaded on demand). We never see the secret.
- Should I use SHA-1, SHA-256 or SHA-512?
- SHA-1 for maximum compatibility — Google Authenticator and several others ignore the algorithm field and assume SHA-1. Use SHA-256 only if you control both ends of the integration.
- What's the difference between 6 and 8 digits?
- Six is standard. Eight adds two more random digits (~6.6 extra bits of entropy per code), which marginally raises the bar against online guessing — but the app must support it. Stick to 6 unless you have a specific reason.
- Can I change the time step?
- Yes, between 15 and 120 seconds. 30 is the universal default; only change it when integrating with a non-standard system.
- What does 'issuer' do?
- It's the service name displayed inside the authenticator app (e.g. 'GitHub'). It also acts as a namespace so two accounts on different services with the same email don't collide.
- Where do I store the secret if I lose my phone?
- Print the QR code or save the secret in your password manager's 'Notes' field. If you re-scan the QR on a new device, the codes will pick up exactly where they left off.
- Is this a real 2FA setup or just a demo?
- It's real. Any service that uses standards-compliant TOTP (most of them) will accept the QR codes generated here. Of course, the verifying side also needs the same secret.
- Can I generate a QR for a secret I already have?
- Yes. Paste your existing base32 secret into the secret field — we'll re-encode it into a fresh otpauth URL and QR.