Generate TOTP From a Base32 Secret: What to Check First

If a service gives you a manual setup key for two-factor authentication, it is usually a Base32 secret. That secret is enough to generate time-based one-time passwords, also called TOTP codes, as long as the code settings match the service.

The quick answer: to generate TOTP from a Base32 secret, paste the setup key into a trusted local TOTP generator, confirm the period is usually 30 seconds, keep the digit count at 6 unless the service says otherwise, and make sure your device clock is correct.

BaseToolbox's 2FA code generator supports Base32 secrets, otpauth:// URLs, and QR code images. It is designed for browser-side TOTP calculation, so the secret does not need to be uploaded to a server just to calculate a code.

What Is a Base32 Secret?

A Base32 secret is the shared key used by the website and your authenticator app to calculate the same one-time code. It often looks like a string of uppercase letters and numbers, such as:

JBSWY3DPEHPK3PXP

The secret is not the 6-digit code itself. It is the long-term credential that can generate future codes. Anyone who has it can calculate valid TOTP codes for that account, so treat it like a password.

TOTP is defined in RFC 6238. Authenticator QR codes often wrap the same secret inside Google's documented Key URI Format.

How to Generate TOTP From a Base32 Secret

Use this workflow when you already control the setup key:

Copy the Base32 setup key exactly.
Open a local TOTP generator on a trusted device.
Paste the secret into the generator.
Keep the period at 30 seconds unless the service specifies another value.
Use 6 digits unless the setup says 8 digits.
Use SHA-1 unless the setup URL says SHA-256 or SHA-512.
Confirm your device clock is set automatically.
Enter the current code before the timer expires.

If the generator accepts an otpauth:// URL, you can paste that instead. The URL can carry the secret, issuer, account label, period, digits, and algorithm in one string.

Why a Correct Secret Can Still Fail

TOTP failures usually come from settings around the secret, not from the math being random.

Problem	What to check
Code rejected immediately	Device time may be wrong or the service may use a different time window.
Code has wrong length	The account may expect 8 digits instead of 6.
Secret looks invalid	Spaces, hyphens, lowercase letters, or copied labels may have slipped in.
QR code works but manual key fails	The QR code may include extra settings not copied with the secret.
Works in one app but not another	Algorithm, period, or digit count may differ.

When debugging, do not reset 2FA too quickly. First compare the visible setup settings, device time, and copied secret.

Is It Safe to Paste a Base32 Secret Into an Online Tool?

Only paste a real 2FA secret into a tool you trust and that processes the secret locally. A Base32 setup key is sensitive because it can generate future login codes.

For personal accounts, the safest place is still your password manager or authenticator app. A browser TOTP generator is useful for testing, emergency recovery when you already have the key, or debugging an internal integration.

For development work, use test secrets. Do not paste production user secrets into bug reports, analytics tools, chat logs, or screenshots.

Quick Answer

A Base32 secret can generate TOTP codes when the secret, time window, digit count, and algorithm match the service. Most authenticator setups use 6 digits, a 30-second period, and SHA-1, but otpauth:// URLs can override those defaults.

FAQ

Is a Base32 secret the same as a 2FA backup code?

No. A Base32 secret is the long-term setup key that generates new TOTP codes. A backup code is usually a one-time recovery code created by the service.

Why does my TOTP code change every 30 seconds?

TOTP combines the shared secret with the current time window. When the time window changes, the calculated code changes too.

Can I recover a lost Base32 secret from a 6-digit code?

No. A current 6-digit code cannot be reversed into the secret. If the secret is lost and no synced authenticator or backup code exists, use the service's account recovery process.

What Is a Base32 Secret?

A Base32 secret is the shared key used by the website and your authenticator app to calculate the same one-time code. It often looks like a string of uppercase letters and numbers, such as:

JBSWY3DPEHPK3PXP

TOTP is defined in RFC 6238. Authenticator QR codes often wrap the same secret inside Google's documented Key URI Format.

How to Generate TOTP From a Base32 Secret

Use this workflow when you already control the setup key:

Copy the Base32 setup key exactly.
Open a local TOTP generator on a trusted device.
Paste the secret into the generator.
Keep the period at 30 seconds unless the service specifies another value.
Use 6 digits unless the setup says 8 digits.
Use SHA-1 unless the setup URL says SHA-256 or SHA-512.
Confirm your device clock is set automatically.
Enter the current code before the timer expires.

If the generator accepts an otpauth:// URL, you can paste that instead. The URL can carry the secret, issuer, account label, period, digits, and algorithm in one string.

Why a Correct Secret Can Still Fail

TOTP failures usually come from settings around the secret, not from the math being random.

Problem	What to check
Code rejected immediately	Device time may be wrong or the service may use a different time window.
Code has wrong length	The account may expect 8 digits instead of 6.
Secret looks invalid	Spaces, hyphens, lowercase letters, or copied labels may have slipped in.
QR code works but manual key fails	The QR code may include extra settings not copied with the secret.
Works in one app but not another	Algorithm, period, or digit count may differ.

When debugging, do not reset 2FA too quickly. First compare the visible setup settings, device time, and copied secret.

Is It Safe to Paste a Base32 Secret Into an Online Tool?

Only paste a real 2FA secret into a tool you trust and that processes the secret locally. A Base32 setup key is sensitive because it can generate future login codes.

For development work, use test secrets. Do not paste production user secrets into bug reports, analytics tools, chat logs, or screenshots.

Quick Answer

FAQ

Is a Base32 secret the same as a 2FA backup code?

No. A Base32 secret is the long-term setup key that generates new TOTP codes. A backup code is usually a one-time recovery code created by the service.

Why does my TOTP code change every 30 seconds?

TOTP combines the shared secret with the current time window. When the time window changes, the calculated code changes too.

Can I recover a lost Base32 secret from a 6-digit code?

No. A current 6-digit code cannot be reversed into the secret. If the secret is lost and no synced authenticator or backup code exists, use the service's account recovery process.

Generate TOTP From a Base32 Secret: What to Check First

What Is a Base32 Secret?

How to Generate TOTP From a Base32 Secret

Why a Correct Secret Can Still Fail

Is It Safe to Paste a Base32 Secret Into an Online Tool?

Quick Answer

FAQ

Is a Base32 secret the same as a 2FA backup code?

Why does my TOTP code change every 30 seconds?

Can I recover a lost Base32 secret from a 6-digit code?

Ready to try it yourself?

Generate TOTP From a Base32 Secret: What to Check First

What Is a Base32 Secret?

How to Generate TOTP From a Base32 Secret

Why a Correct Secret Can Still Fail

Is It Safe to Paste a Base32 Secret Into an Online Tool?

Quick Answer

FAQ

Is a Base32 secret the same as a 2FA backup code?

Why does my TOTP code change every 30 seconds?

Can I recover a lost Base32 secret from a 6-digit code?

Ready to try it yourself?