TOTP Secret Key Generator
Generate a secure, random base32 secret key for setting up 2FA on your app or service. Everything runs in your browser — nothing is sent anywhere.
Paste the generated key into 2faco.com to verify it generates valid TOTP codes before using it in production.
🎲 Cryptographically Secure
Uses crypto.getRandomValues() — the same API used by browsers for TLS key generation. Not Math.random().
🔒 Never Leaves Your Browser
The secret key is generated entirely client-side. Nothing is sent to any server, logged, or stored.
✅ RFC 6238 Compatible
Output is valid base32 as required by the TOTP standard. Works with Google Authenticator, Authy, and all major apps.
Frequently Asked Questions
What is a TOTP secret key?
A TOTP secret key is a shared secret exchanged once between your authenticator app and the service you're protecting. It's used to generate time-based codes that change every 30 seconds. The secret itself never needs to be transmitted again after setup.
How long should my secret key be?
The TOTP standard (RFC 4226) recommends at least 16 bytes (128 bits) — which is 26 base32 characters. 32 characters (160-bit) is the most common choice and provides excellent security. For highly sensitive systems, 52 characters (256-bit) is available.
What format should the secret key be in?
TOTP secret keys must be base32-encoded — they use only uppercase letters A–Z and digits 2–7. No padding characters (=) are needed by most authenticator apps. Remove spaces before storing or using the key programmatically.
How do I use this key?
When implementing 2FA in your app, store this secret securely per user. Display it to them as a QR code (using the otpauth:// URI format) or as a string they can manually enter into their authenticator app. Use an otpauth:// URI builder to generate the QR code.