otpauth QR Code Explained: What Your 2FA App Reads

When a website asks you to scan a QR code for two-factor authentication, the QR code is usually not magic. Most authenticator apps are reading an otpauth:// URI that contains the account label, issuer, secret key, and code settings.

Understanding that format helps in three common situations:

• You cannot scan the QR code and need to enter the setup key manually.
• You are debugging a TOTP integration and want to know why a code is rejected.
• You want to test a 2FA secret in a browser tool without sending it to a server.

What Is an otpauth URI?

An otpauth:// URI is a text format used by authenticator apps to describe a one-time-password account. Google Authenticator's documented key URI format uses this shape:

otpauth://totp/Issuer:[email protected]?secret=BASE32SECRET&issuer=Issuer

The otpauth URI scheme is also listed by IANA as a provisional URI scheme used by authenticator apps such as Google Authenticator and Microsoft Authenticator. The code itself is normally generated with TOTP, the time-based one-time password algorithm described in RFC 6238.

The Parts That Matter

| Part | Example | What it controls | |---|---|---| | Type | totp | Whether the code is time-based. Most modern app codes are TOTP. | | Label | BaseToolbox:[email protected] | What the app shows in the account list. | | Secret | JBSWY3DPEHPK3PXP | The shared Base32 key used to generate codes. Treat it like a password. | | Issuer | BaseToolbox | The service name. It helps the app group or display accounts. | | Period | 30 | How many seconds each code is valid. 30 seconds is common. | | Digits | 6 | How many digits the code has. 6 is common. | | Algorithm | SHA1 | The hash algorithm. SHA-1 is the common default for compatibility. |

You will not always see every parameter. If a parameter is missing, most apps use defaults.

Why Your App and the Website Generate the Same Code

TOTP works because both sides know the same secret key and roughly the same time. The website stores the secret during setup. Your authenticator app stores the same secret after scanning the QR code. Every time period, both sides combine the secret with the current time and calculate a short numeric code.

That is why clock drift can break 2FA. If your device time is far from the server's time, the app may show a valid-looking code that the service rejects.

Can You Paste an otpauth URI Into a Web Tool?

Only use a web tool if the tool processes the secret locally in your browser. A 2FA secret can generate future login codes, so it should be handled like a password.

Before pasting a setup key or otpauth:// URI, check:

• Does the tool say the secret stays in the browser?
• Can it work after the page is loaded and the network is disconnected?
• Does it avoid account sync, uploads, logs, or remote API calls?
• Are you using it for testing or temporary recovery rather than long-term storage?

BaseToolbox's 2FA generator is designed for local browser-side TOTP calculation, so it is useful for testing a setup key, checking a QR code value, or generating a code on desktop when you already have the secret.

Troubleshooting an otpauth Setup

If a generated code does not work, check these before resetting 2FA:

1. Confirm the secret was copied exactly. Base32 secrets often contain letters and numbers that are easy to mistype.
2. Check whether the service expects 6 or 8 digits.
3. Confirm the period is 30 seconds unless the service says otherwise.
4. Make sure your device clock is set automatically.
5. If you are building the URI yourself, include a clear issuer value and account label.

Quick Answer

An otpauth:// QR code is a setup link for authenticator apps. It usually contains a TOTP secret, issuer, account label, and optional code settings. Anyone with the secret can generate valid future 2FA codes, so test it only in a local, browser-side tool you trust.