wyreup
inspect

HOTP Code

Generate an RFC 4226 HOTP code from a base32 secret and an explicit counter. Counter-based sibling of TOTP — same algorithm, just no time slice.

Loading…

About HOTP Code

HOTP Code generates an RFC 4226 one-time password from a base32 secret and an explicit counter value. It's the counter-based sibling of TOTP — same HMAC algorithm, but instead of advancing on a time slice it advances each time you bump the counter. Useful for testing event-based 2FA flows or hardware tokens, and the computation runs entirely in your browser so the secret never leaves your machine.

Category
inspect
Input
Accepts: */*.
Output
Outputs: application/json.
Cost
Free, runs in your browser
Memory
low
Privacy: HOTP Code runs entirely on your device. Files you provide never leave your browser — no uploads, no server, no tracking. The page works offline once loaded.

Common uses

  • Reproduce the exact code a hardware OTP token would show at counter N while debugging an enrollment flow
  • Verify your server's HOTP implementation against a known secret and counter during integration tests
  • Generate a sequence of codes by stepping the counter to test resync windows
  • Confirm a base32 secret is valid by checking the code it produces against a reference
  • Build a known-good test vector for a 2FA login your CI suite needs to exercise

Frequently asked questions

How is HOTP different from TOTP?

Both use the same HMAC-based algorithm. TOTP derives its counter from the current time, so codes rotate every 30 seconds. HOTP uses an explicit counter you supply, so codes only change when you increment it.

What format does the secret need to be in?

Base32, the standard encoding used by authenticator apps and otpauth:// URIs. Provide the secret plus the integer counter value.

Is the secret sent to a server?

No. The HMAC computation happens in your browser, so the shared secret and resulting code never leave your device. That matters for a credential as sensitive as a 2FA seed.

What does the output look like?

JSON containing the generated one-time code (typically six digits) for the counter you supplied, suitable for comparison in tests.

Can I generate several codes at once?

Run it once per counter value. Increment the counter and re-run to walk through a sequence, matching how a token advances on each press.

Keywords

  • hotp
  • otp
  • rfc4226
  • counter
  • auth
  • mfa
  • one-time

Try next

TOTP Code
inspect

The time-based variant when you need codes that rotate on a 30-second window instead of a counter
Backup Codes
create

Generate recovery codes alongside HOTP enrollment so users have a fallback
Hash
inspect

Inspect the SHA family directly when you're validating the HMAC primitive underneath OTP
Color Palette
inspect

Extract dominant colors from an image as hex codes.
Image Diff
inspect

Pixel-level diff between two images of the same dimensions.
Image Info
inspect

Extract dimensions, format, and metadata from an image.
PDF Info
inspect

Extract page count and metadata from a PDF.
Hash
inspect

Compute SHA-256, SHA-1, or SHA-512 hashes of files.
JSON Formatter
inspect

Parse and pretty-print JSON with configurable indentation.
Extract PDF Tables
export

Extract tabular data from a PDF as JSON or CSV. Works well for simple tables with aligned columns and no merged cells. Complex tables, rotated text, and scanned PDFs (images) will not extract cleanly.
Topic Keywords
text

Pull the topic-bearing nouns and noun phrases out of any text. Answers "what is this about" — not "what words appear most" (try Text Frequency for that). Runs entirely in your browser.