RevealTheme logo

2FA QR Code Generator

Build a scannable otpauth:// TOTP QR code from a service name, account, and Base32 secret. The QR image is rendered by a third-party service, so use real production secrets with care.

How to use this tool

  1. 1

    Type the service name into the first field (this becomes the issuer label, e.g. RevealTheme).

  2. 2

    Enter the account identifier, usually the user's email or username.

  3. 3

    Paste an existing Base32 secret, or click Random to generate a fresh 32-character one with crypto.getRandomValues.

  4. 4

    Scan the QR code that appears below with your authenticator app, or copy the otpauth:// URI shown under it.

What is a 2FA QR code and what does this generator actually produce?

Authenticator apps such as Google Authenticator, Authy, and 1Password enroll a TOTP secret by scanning a QR code that encodes an otpauth:// URI. The time-based one-time password algorithm itself is defined by RFC 6238, and the URI layout follows the de-facto Key URI Format used by those apps. This tool assembles that URI as otpauth://totp/Issuer:account?secret=...&issuer=..., placing your service name and account in the label and repeating the issuer as a query parameter. It deliberately omits the optional algorithm, digits, and period parameters, so every app falls back to the standard defaults: HMAC-SHA1, 6 digits, and a 30-second period. If your backend uses anything else (SHA256, 8 digits, or a 60-second step), this QR will not match and the generated codes will be rejected. The URI is then handed to api.qrserver.com, which returns the QR image — the rendering is not done in your browser. The tool does not verify that your secret is valid Base32, so a malformed secret still produces a QR that the authenticator will silently reject at first use.

Common use cases

  • Demoing a 2FA enrollment flow in a tutorial, slide deck, or product screenshot without wiring up a real backend.

  • Generating a test TOTP secret while developing or QA-testing a login system that uses standard SHA1/6-digit/30-second codes.

  • Re-encoding a Base32 secret you already hold (for example from a recovery backup) into a fresh scannable QR.

  • Teaching teammates how the otpauth:// Key URI Format is structured by showing the URI printed beneath the QR.

  • Quickly checking whether an authenticator app accepts the default TOTP parameters before committing to a server-side library.

  • Creating a throwaway 2FA setup for a sandbox or staging account where the secret does not protect anything sensitive.

Frequently asked questions

Is my secret kept private in the browser?
No. The full otpauth:// URI, including your Base32 secret, is sent as a query string to the third-party QR service api.qrserver.com to render the image. Treat anything you enter here as exposed to that service. For a live production account, generate the QR offline or server-side instead, and use this tool only for demos, tests, or throwaway secrets.
What TOTP settings does the generated code use?
The defaults: HMAC-SHA1, 6 digits, and a 30-second period. The tool does not write algorithm, digits, or period into the URI, so authenticator apps apply their standard values. If your server expects SHA256, 8 digits, or a different step, the codes will not line up.
How is the Random secret generated?
It uses crypto.getRandomValues to fill 32 slots from the Base32 alphabet (A-Z and 2-7), producing a 32-character secret with about 160 bits of entropy. That is cryptographically strong randomness, and because the alphabet has exactly 32 symbols there is no modulo bias.
Why does my authenticator reject the secret I pasted?
The tool does not validate input as Base32. If your secret contains lowercase letters, the digits 0, 1, 8, or 9, padding (=) characters, or spaces, the QR is still built but the app cannot decode it. Use only uppercase A-Z and 2-7, with no padding.
Which apps can scan this QR code?
Any authenticator that supports the otpauth:// Key URI Format, including Google Authenticator, Authy, 1Password, Microsoft Authenticator, and most password managers with a built-in TOTP feature.
Can I edit the otpauth URI by hand?
Yes. The full URI is printed beneath the QR code, so you can copy it and add parameters like &digits=8 or &algorithm=SHA256 manually if your setup needs non-default TOTP settings the tool does not expose.

Related tools