randarium
Keys

TOTP Secret Generator

Generate random base32 secrets suitable for time-based one-time password (TOTP) authenticators like Google Authenticator, Authy, or Microsoft Authenticator. Choose the key length (16, 32, or 64 base32 characters) and optionally group characters for easier reading or entry.

Also known as: 2FA secret · authenticator secret · OTP secret

secure · crypto RNG

Private by design. Your TOTP secret is generated locally and never saved, uploaded, or shared — only your settings can be, and only when you choose.

Presets

Base32 characters

Insert spaces every 4 chars for easier reading

Output

No output yet — set your options and hit .
About this tool, tips & examples

What it does

The TOTP Secret Generator creates random base32-encoded secrets suitable for time-based one-time password (TOTP) authenticators. Generate secrets for Google Authenticator, Authy, Microsoft Authenticator, or any other TOTP-compatible app. Optionally group characters for easier reading or manual entry.

Common use cases

  • Setting up two-factor authentication on accounts.
  • Generating backup authenticator secrets.
  • Testing authentication and OTP systems.
  • Provisioning security keys for new devices.

Settings

  • Length — choose the size of the secret in base32 characters:
    • 16 characters (80 bits) — shorter, less common
    • 32 characters (160 bits) — standard, recommended
    • 64 characters (320 bits) — maximum security
  • How many — generate one secret or batch multiple secrets at once.
  • Group every 4 characters — when enabled, inserts spaces every 4 characters for easier reading and manual entry.

Privacy note

Everything runs locally in your browser using the Web Crypto API. Generated secrets are never uploaded, logged, or sent to a server. They are never saved automatically and never included in share links — only your generation settings can be saved or shared.

Security notes

This generator uses the browser’s cryptographic RNG and is never seeded. Each generation produces completely random output that cannot be reproduced — secure generators do not accept seed values.

FAQ

Why base32 instead of base64 or hex? The TOTP ecosystem standardized on base32 (RFC 4648): its alphabet avoids ambiguous characters and survives being typed by hand into an authenticator app — which is exactly how these secrets get entered when QR codes aren’t available.

What length should I use? 32 characters (160 bits) matches the common default and pairs with SHA-1-based TOTP, which remains the ecosystem standard. Use 64 only if your system explicitly supports longer secrets — some authenticator apps reject unusual lengths.

How does the secret become the 6-digit code? The authenticator combines this shared secret with the current time window (usually 30 seconds) through HMAC — both sides know the secret, so both compute the same code. Anyone who has the secret can generate valid codes forever, so treat it exactly like a password.

Can I get a QR code? This tool produces the raw secret; the QR code is just an otpauth:// URI containing it, which your service or a QR library can render. Never paste real secrets into third-party QR generators.