2FA QR Code Generator
Build a scannable otpauth:// TOTP QR code from a service name, account, and Base32 secret. The QR image is rendered by a third-party service, so use real production secrets with care.
How to use this tool
- 1
Type the service name into the first field (this becomes the issuer label, e.g. RevealTheme).
- 2
Enter the account identifier, usually the user's email or username.
- 3
Paste an existing Base32 secret, or click Random to generate a fresh 32-character one with crypto.getRandomValues.
- 4
Scan the QR code that appears below with your authenticator app, or copy the otpauth:// URI shown under it.
What is a 2FA QR code and what does this generator actually produce?
Authenticator apps such as Google Authenticator, Authy, and 1Password enroll a TOTP secret by scanning a QR code that encodes an otpauth:// URI. The time-based one-time password algorithm itself is defined by RFC 6238, and the URI layout follows the de-facto Key URI Format used by those apps. This tool assembles that URI as otpauth://totp/Issuer:account?secret=...&issuer=..., placing your service name and account in the label and repeating the issuer as a query parameter. It deliberately omits the optional algorithm, digits, and period parameters, so every app falls back to the standard defaults: HMAC-SHA1, 6 digits, and a 30-second period. If your backend uses anything else (SHA256, 8 digits, or a 60-second step), this QR will not match and the generated codes will be rejected. The URI is then handed to api.qrserver.com, which returns the QR image — the rendering is not done in your browser. The tool does not verify that your secret is valid Base32, so a malformed secret still produces a QR that the authenticator will silently reject at first use.
Common use cases
Demoing a 2FA enrollment flow in a tutorial, slide deck, or product screenshot without wiring up a real backend.
Generating a test TOTP secret while developing or QA-testing a login system that uses standard SHA1/6-digit/30-second codes.
Re-encoding a Base32 secret you already hold (for example from a recovery backup) into a fresh scannable QR.
Teaching teammates how the otpauth:// Key URI Format is structured by showing the URI printed beneath the QR.
Quickly checking whether an authenticator app accepts the default TOTP parameters before committing to a server-side library.
Creating a throwaway 2FA setup for a sandbox or staging account where the secret does not protect anything sensitive.
Frequently asked questions
Is my secret kept private in the browser?▼
What TOTP settings does the generated code use?▼
How is the Random secret generated?▼
Why does my authenticator reject the secret I pasted?▼
Which apps can scan this QR code?▼
Can I edit the otpauth URI by hand?▼
Related tools
Bcrypt Hash Generator
Generate bcrypt password hashes (client-side).
HMAC Generator
Generate HMAC signatures with SHA-256, SHA-1, MD5.
AES Encryption
Encrypt and decrypt text with AES-256 in your browser.
Password Strength Tester
Test password strength against entropy and dictionaries.
Caesar Cipher Encoder
Encode and decode Caesar cipher with custom shifts.
ROT13 Encoder
Encode and decode ROT13 text instantly.