ToolBelt

otpauth:// URI Builder

Build an otpauth:// URI from issuer, account and Base32 secret.

Open tool

Overview

The otpauth:// URI builder constructs the QR-code-friendly URI that Google Authenticator, Authy, 1Password, and every other TOTP/HOTP app understands. Type in an issuer, an account name, and a Base32 secret; pick TOTP or HOTP, the digit count, the period, and the algorithm; and the tool emits the canonical URI plus a scannable QR code.

It is built for engineers wiring up two-factor authentication into their app, sysadmins onboarding a new device to an existing OTP secret, and security researchers generating test vectors. An otpauth URI builder is the right way to format the secret — getting the URL-encoding or label format wrong is a common source of "the app won't enroll" tickets.

How it works

The otpauth:// URI scheme was originally published by Google in the Google Authenticator wiki and is now a de-facto standard. The format is:

otpauth://TYPE/LABEL?PARAMETERS

where TYPE is totp (RFC 6238) or hotp (RFC 4226). LABEL is Issuer:Account (URL-encoded), and the query string carries secret (Base32, no padding), issuer, algorithm (SHA1/SHA256/SHA512), digits (6 or 8), and either period (TOTP, default 30 s) or counter (HOTP). The tool validates the Base32, URL-encodes the label, and renders the result as a QR code (typically Version 5–6, error correction level M).

Examples

Issuer:  ToolBelt
Account: alice@example.com
Secret:  JBSWY3DPEHPK3PXP
Type:    TOTP
Output:  otpauth://totp/ToolBelt:alice@example.com?secret=JBSWY3DPEHPK3PXP&issuer=ToolBelt&algorithm=SHA1&digits=6&period=30

Issuer:  Internal Console
Account: bob
Secret:  GEZDGNBVGY3TQOJQ
Type:    HOTP counter=0
Output:  otpauth://hotp/Internal%20Console:bob?secret=GEZDGNBVGY3TQOJQ&issuer=Internal%20Console&counter=0&digits=6&algorithm=SHA1

Issuer:  Lab
Account: ed
SHA256, 8 digits
Output:  otpauth://totp/Lab:ed?secret=...&algorithm=SHA256&digits=8&period=30

FAQ

What goes in the issuer field?

A short, human-readable name of the service — the authenticator app displays it above the code. Most apps also accept the issuer twice (in the label prefix and the issuer= parameter); modern apps prefer the parameter form.

Must the secret be Base32?

Yes, and without padding. RFC 4648 Base32 uses A–Z and 2–7. Most app failures come from feeding a hex or Base64 secret instead.

Why default to SHA-1?

Compatibility. Google Authenticator and many older apps only support SHA-1. Use SHA-256 or SHA-512 only when you control the authenticator on both ends.

HOTP vs TOTP — which should I pick?

TOTP for almost every modern use case. HOTP is counter-based — useful for offline hardware tokens but a pain to keep in sync with software apps.

Try otpauth:// URI Builder

An unhandled error has occurred. Reload ×