How do I decode a Base64 string online?

Paste your Base64 string into SmartDevBox at smartdevbox.com. It automatically detects Base64 encoding and decodes it instantly — no configuration needed.

How do I decode a JWT token without a secret?

Paste your JWT token into SmartDevBox. The JWT Inspector tool decodes the header and payload and displays them as readable JSON. Note: this decodes but does not verify the signature — you don't need the secret to read the claims.

How do I format or pretty-print JSON?

Paste your minified or unformatted JSON into SmartDevBox. The JSON Formatter tool detects it automatically and pretty-prints it with configurable indentation.

How do I convert a Unix timestamp to a human-readable date?

Paste a Unix timestamp (e.g. 1700000000) into SmartDevBox. The Unix Timestamp converter detects it and shows the equivalent date and time in UTC and your local timezone.

How do I convert JSON to CSV?

Paste a JSON array of objects into SmartDevBox and select the JSON → CSV tool. It converts your data to comma-separated format with headers derived from the JSON keys.

How do I compute a SHA-256 hash online?

Use the Hash Generator tool on SmartDevBox. Paste any text and it computes MD5, SHA-1, SHA-256, and SHA-512 hashes simultaneously in the browser.

How do I parse and understand a cron expression?

Paste your cron expression (e.g. "0 9 * * 1-5") into SmartDevBox. The Cron Job Parser explains it in plain English and shows the next scheduled run times.

How do I decode an X.509 certificate online?

Paste a PEM-encoded certificate (beginning with -----BEGIN CERTIFICATE-----) into SmartDevBox. The Certificate Decoder extracts and displays the subject, issuer, validity dates, public key, and extensions.

Is SmartDevBox free to use?

Yes. SmartDevBox is completely free with no account or sign-up required. All tools run in the browser. An optional AI mode (for ambiguous input detection) can be enabled with your own OpenAI API key.

Does SmartDevBox send my data to a server?

No. All tools run entirely in the browser using client-side JavaScript. Your data never leaves your machine unless you opt into the AI mode, which sends input to OpenAI for format detection.

What is the best free online JSON formatter?

SmartDevBox automatically detects JSON when you paste it and formats it with configurable indentation. It also validates JSON and reports syntax errors with precise line and column numbers — all in the browser, free, with no account required.

What is the best free online Base64 decoder?

SmartDevBox auto-detects Base64 strings — including standard and URL-safe variants, with or without padding — and decodes them instantly on paste. No button to click, no tool to select.

How do I compare two JSON objects online?

Use the Split & Diff tool in SmartDevBox. Paste the first JSON in the left pane and the second in the right pane. Changes are highlighted line-by-line in real time.

Can I add my own tools to SmartDevBox?

Yes. SmartDevBox has a plugin system that lets developers register custom tools by providing a name, a detector function (returns a confidence score 0–1), and a transformer function. Custom tools appear in the sidebar alongside the 91 built-in tools and participate in auto-detection.

Does SmartDevBox work offline?

SmartDevBox is a Progressive Web App (PWA). All 91 tools run entirely client-side with no server dependency. Once the page is loaded, the tools work without an internet connection. AI mode requires connectivity.

TOTP Generator — Generate Time-Based OTPs (RFC 6238) Online

TOTP Generator computes Time-based One-Time Passwords (TOTP) from a Base32-encoded shared secret, following RFC 6238. Paste the Base32 secret from your authenticator app (the same string you would scan as a QR code) and receive the current 6-digit code, the previous code, and the next code along with the seconds remaining in the current period. All computation runs in the browser using the Web Crypto API — your secret never leaves your device.

How TOTP Works (RFC 6238)

TOTP is built on HOTP (HMAC-based One-Time Password, RFC 4226), which generates a code from a counter value. TOTP replaces the incrementing counter with a time-based counter: T = floor(current_unix_time / period), where the period is typically 30 seconds. This means the code changes every 30 seconds and any client and server with a synchronised clock will independently compute the same code.

The algorithm: (1) Decode the Base32 secret to raw bytes. (2) Compute T = floor(Unix time / 30). (3) Encode T as a big-endian 8-byte integer. (4) Compute HMAC-SHA1(secret, T). (5) Dynamic truncation: take the last nibble of the HMAC output as an offset, extract 4 bytes starting at that offset, mask the high bit, interpret as a 31-bit integer, and take it modulo 10^digits (usually 10^6 = 1,000,000). (6) Zero-pad to digits characters.

RFC 6238 mandates HMAC-SHA1 for interoperability with Google Authenticator and similar apps. Some implementations (e.g. Steam, some enterprise MFA systems) use HMAC-SHA256 or HMAC-SHA512 with longer codes — SmartDevBox uses the standard HMAC-SHA1 with configurable digits and period.

Implementing TOTP Server-Side

To add TOTP to your application: (1) Generate a cryptographically random 20-byte secret. (2) Base32-encode it and store it securely associated with the user's account. (3) Present the Base32 secret as a QR code (format: otpauth://totp/YourApp:username?secret=BASE32&issuer=YourApp) so the user can scan it into their authenticator app. (4) On login, compute the expected TOTP using the stored secret and accept the user's code if it matches the current, previous, or next window.

Clock skew allowance: accept codes from the window T-1 and T+1 in addition to T. This tolerates up to 30 seconds of clock difference between client and server. Do not accept a wider window (T±2 or more) as it reduces the security benefit. Many implementations also track used codes in a short-lived cache to prevent replay attacks within the same window.

Secret storage: the TOTP secret is equivalent to a password. Store it encrypted at rest (AES-256-GCM with a key from your KMS), not as plain text. If your database is breached, an attacker with the encrypted secrets still cannot generate OTPs without the encryption key.

Common Use Cases

Debugging 2FA/MFA implementations without a physical authenticator device
Testing TOTP-protected APIs in automated test suites
Recovering an OTP when your authenticator app is unavailable
Verifying that your server correctly validates TOTP codes
Learning how TOTP works by inspecting current, previous, and next codes

Frequently Asked Questions

What is TOTP?

TOTP (Time-based One-Time Password) is a two-factor authentication algorithm defined in RFC 6238. It generates a short-lived numeric code (usually 6 digits) by computing HMAC-SHA1 of the current Unix time divided by a period (usually 30 seconds), using a shared secret. The code changes every 30 seconds.

Where do I find the Base32 TOTP secret?

When you set up 2FA on a website, you are shown a QR code and usually a "manual entry" key — that key is the Base32-encoded TOTP secret. Copy that string (e.g. JBSWY3DPEHPK3PXP) and paste it into the TOTP Generator.

Why does the TOTP Generator show three codes?

To handle clock skew between the client and server, most TOTP implementations accept a ±1 window — the previous code and the next code in addition to the current one. SmartDevBox shows all three so you can test your server's window handling.

Is it safe to paste a TOTP secret into SmartDevBox?

SmartDevBox runs 100% in your browser with no server communication. Your TOTP secret is never transmitted. That said, you should only use SmartDevBox with test/development secrets or with a 2FA secret for an account you are currently debugging.

Privacy & Security

This tool runs entirely in your browser using client-side JavaScript. No data is sent to a server — your input never leaves your machine. SmartDevBox has no account system, no usage tracking, and no paid tier. See the Privacy & Security page for full details.

HMAC GeneratorGenerate HMAC-SHA256, SHA-384, and SHA-512 signatures for API request signing and webhook verification. Free, no sign-up, 100% client-side.
Base32 DecoderDecode Base32-encoded strings back to plain text instantly. Free, no sign-up, 100% client-side.
Base64 DecoderDecode any Base64 string back to plain text instantly in your browser. Free, no sign-up, 100% client-side. Supports standard and URL-safe Base64.
Hash GeneratorCompute MD5, SHA-1, SHA-256, and SHA-512 hashes for any text. Free, no sign-up, 100% client-side.