📱 QR Code Generator for 2FA Secrets

Last updated: May 18, 2026
100% Offline — Secret Never Leaves Your Device

QR Code Generator for 2FA Secrets

Turn your TOTP secret into a scannable QR code for Google Authenticator, Authy, and any TOTP app.

Your secret is processed entirely in your browser. No data is sent to any server. Safe to use with real TOTP seeds.
Save as PNG
Generated URL

What Is a TOTP Secret and Why Does It Need a QR Code?

When a website says "enable two-factor authentication," it is handing you a secret key — a short string of random letters and numbers, maybe something like JBSWY3DPEHPK3PXP. That string is the seed for a tiny math formula that your authenticator app and the server both know. Every 30 seconds, both sides run the formula, produce the same six-digit code, and if yours matches theirs, they know it is really you.

The problem is that typing a 16-to-32-character random string into a phone keyboard is painful and error-prone. One mistyped character and your authenticator app will never produce the right codes. So websites figured out a smarter way: they encode the secret inside a QR code. You open your authenticator app, point your camera, and the whole setup happens in under a second with no typing at all.

The format they use is called an otpauth:// URL. It looks like this:

otpauth://totp/GitHub:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=GitHub

Every TOTP authenticator app on the planet — Google Authenticator, Authy, Microsoft Authenticator, Aegis, Bitwarden — understands this format. When you scan a QR code during 2FA setup, you are scanning a QR code that contains exactly this kind of URL.

When Would You Need to Generate One Yourself?

Most of the time a website generates this QR for you on screen. But there are real situations where you end up with just the raw secret and need to make your own code:

Migrating to a new authenticator app. You switched from Google Authenticator to Authy (or vice versa), but some of your old accounts only gave you the secret key as text, not a scannable image. You need to re-enroll those accounts in the new app.

Backup and recovery. You store your 2FA seeds in a password manager or an encrypted file. When you set up a new phone, you want to scan your own saved secret instead of going through each service's 2FA reset flow.

Self-hosted or home-lab services. If you run your own services — a Nextcloud instance, a Proxmox server, a home automation panel — you might generate TOTP secrets programmatically and then need a convenient way to enroll a phone without copy-pasting.

Lost device recovery. Your phone died and you kept the bare secret key but not a backup QR. Rather than revoking and re-enabling 2FA on every account (which can lock you out during the process), you can regenerate the QR from your saved secret.

Why "Offline" Matters So Much Here

Think about what you are about to hand to a QR generator: the single piece of information that lets anyone log into your accounts as you. If you paste your TOTP secret into a random website that pings a server to draw the QR, that secret just traveled over the internet to a computer you do not control. It may sit in a request log, a database, or a analytics pipeline. That one keystroke defeats the entire point of two-factor authentication.

This tool generates QR codes entirely inside your browser using pure JavaScript. There is no fetch request, no API call, no image generated on a remote server. The QR drawing logic implements the full QR code specification — Galois Field arithmetic, Reed-Solomon error correction, zigzag data placement, finder patterns, format information strips — all in vanilla JavaScript running locally on your machine. You can disconnect from the internet before using it and it will work just the same.

What Is Inside the Generated QR Code?

The QR code this tool creates contains the otpauth://totp/ URL constructed from your inputs. The URL carries four key pieces of information that your authenticator app reads on scan:

The secret — your Base32-encoded seed. This is what drives the HMAC-SHA1 calculation that produces the six-digit code. It must be kept private.

The issuer — the name of the service (GitHub, AWS, your company name). Authenticator apps display this so you know which account each entry belongs to.

The account label — usually your email address or username for that service. Shown alongside the issuer in the app list.

The parameters — algorithm (SHA1 is the universal default), digits (6 is standard), and period (30 seconds is the TOTP standard). These tell the app how to compute codes.

How to Read the Base32 Secret

If you have never looked closely at a TOTP secret before, the format might seem odd. Base32 uses only 32 characters: the letters A through Z and the digits 2 through 7. It excludes 0, 1, 8, and 9 because they look too much like O, I, B, and G in small fonts — confusion that would ruin manual entry.

You might see the secret padded with equal signs at the end (like JBSWY3DPEHPK3PXP====). That is standard Base32 padding and this tool strips it automatically. You might also see it with spaces every 4 characters for readability — those are stripped too. Lowercase is fine; the tool converts to uppercase internally.

The one thing to double-check: make sure you are copying the secret key and not the six-digit code itself. The secret is static and usually 16–32 characters long. The six-digit code changes every 30 seconds and is useless for enrollment.

After Scanning: What the Authenticator App Does

The moment your authenticator app reads the QR code, it extracts the secret and stores it in its local encrypted database — never sending it anywhere. From that point on, every 30 seconds the app takes the current Unix timestamp, divides it by 30 to get a counter, hashes it with your secret using HMAC-SHA1, and picks 6 digits out of the result. The server runs the exact same calculation. If the digits match, you are in.

The QR code itself is now no longer needed. The secret is what matters, and it lives only in your authenticator app and on the server. Once enrolled, you can close this page, clear the QR image, and the security of your account depends entirely on that secret staying private — which is why generating the QR offline (as this tool does) is the only safe approach.

Tips for Safe Use

Use this tool over an HTTPS connection even though generation happens locally — this prevents a network attacker from swapping the page itself with a version that does exfiltrate your secret. After generating, close the browser tab before sharing your screen. If you save the QR as a PNG for backup purposes, encrypt that file or store it in a password manager's secure notes, treating it with the same care as the master password itself. Never screenshot a QR code displayed on screen and then upload that screenshot to a cloud service without encryption — a photo of a 2FA QR code grants complete account access to whoever finds it.

FAQ

Is it safe to use this tool with a real TOTP secret?
Yes — the QR code is generated entirely in your browser with no network requests. Your secret never leaves your device. You can disconnect from the internet before using it and it works identically. The JavaScript implements QR encoding locally, including Galois Field arithmetic and Reed-Solomon error correction, with no external libraries or API calls.
Where do I find my TOTP secret key?
Your secret key is shown during the initial 2FA setup flow on most websites — usually as a string of letters and digits displayed next to the QR code (sometimes labeled 'manual entry key' or 'secret key'). If you store your 2FA seeds in a password manager, check there. If you only saved the QR image, you cannot easily extract the secret from it — you would need to re-enable 2FA on the account to get a fresh secret.
What authenticator apps will scan this QR code?
Any app that supports standard TOTP (RFC 6238) will work: Google Authenticator, Authy, Microsoft Authenticator, Aegis Authenticator, Bitwarden Authenticator, 1Password, Raivo OTP, and dozens of others. The generated URL follows the standard otpauth:// format that all of these apps recognize.
My secret has spaces or lowercase letters — is that okay?
Yes. This tool automatically strips spaces and converts lowercase to uppercase before building the URL, so you can paste a secret in any formatting you received it in. It also strips trailing equal signs (Base32 padding). The only characters that must be present are A-Z and 2-7; if your secret contains 0, 1, 8, 9, or other characters, that indicates an error in the secret itself.
What is the difference between the two input modes?
The first tab (Enter Secret + Details) is for when you have a raw Base32 secret and want to specify the issuer and account name separately. The tool assembles the otpauth:// URL for you. The second tab (Paste otpauth:// URL) is for when you already have a full otpauth:// URL — for example exported from another app or copied from a developer tool — and just want to turn it into a scannable image.
Can I save the generated QR code as a file?
Yes. Click 'Save as PNG' to download the QR code as a PNG image. Treat this file as sensitive as the secret itself — anyone who scans it gains access to the same TOTP codes your authenticator generates. Store it encrypted, in a password manager's secure attachment area, or an encrypted vault, not in a plain folder or cloud storage without additional encryption.