Generate TOTP and HOTP one-time passwords for MFA setup, integration testing, and recovery playbooks with clear timing and counter guidance to avoid authentication troubleshooting blind spots.

What this tool does

It computes one-time passcodes from shared secrets using time-based or counter-based OTP algorithms.

It helps verify MFA enrollment flows and authenticator interoperability before production rollout.

It provides deterministic troubleshooting support for clock skew, step window, and secret formatting issues.

Typical use cases

Test MFA setup flows during auth feature development.
Validate OTP compatibility across mobile authenticators and backend verifiers.
Reproduce support incidents involving expired or invalid OTP codes.
Prepare break-glass recovery runbooks with known-good OTP generation steps.
Confirm HOTP counter handling in hardware token style integrations.

Input examples

TOTP secret

JBSWY3DPEHPK3PXP

Time step config

period: 30s, digits: 6, algo: SHA1

HOTP config

counter: 42, digits: 6, algo: SHA256

Output examples

Current TOTP

482193 (valid for remaining 18s)

HOTP sample

913520 (counter 42)

Troubleshooting note

If verification fails, compare server clock and secret normalization first.

Common errors and fixes

Codes fail due to time drift

Synchronize client and server clocks and allow small verification window.

Secret format mismatch

Ensure Base32 secret is clean and padding expectations are handled correctly.

Wrong algorithm or digit length

Match verifier settings exactly for period, digits, and hash algorithm.

HOTP counter desynchronization

Resync counter state between token and verifier during troubleshooting.

Security and privacy notes

OTP generation is local, but shared secrets are highly sensitive and must be handled carefully.
Never paste production MFA secrets into tickets, chat logs, or public recordings.
Rotate test secrets after debugging sessions and remove them from temporary notes.

Step-by-step workflow

Start with a minimal input for TOTP/HOTP Generator and verify baseline behavior first.
Make assumptions explicit: encoding, delimiter strategy, and timezone.
Change one variable at a time and compare output diffs.
Keep one verified output snapshot as a team reference.

Quality checklist before sharing output

Confirm TOTP/HOTP Generator output is deterministic across repeated runs with identical input.
Check boundary inputs (empty values, long fields, invalid characters).
Remove sensitive data before sharing output externally.
Verify final rendering on both desktop and mobile viewports.