2FAApp Local-first security tools
Use tools

Understand the sensitive value behind TOTP codes.

What Is a 2FA Secret Key?

Learn why the secret key behind an authenticator QR code is sensitive and how to handle manual setup keys safely.

The secret key is the credential behind the codes; anyone who learns it can generate valid TOTP codes.
A QR code and an otpauth URI often encode the same secret, so both are sensitive.
Manual setup keys should be treated like passwords and never pasted into random support channels.

What the key does

The secret key is the shared value used by the server and the authenticator app to generate matching codes. The key is usually hidden behind a QR code or shown as a manual setup string.

Why the key is sensitive

If someone copies the key, they can typically create valid codes until the platform invalidates the secret. That is why the key should stay private even if the codes themselves are short-lived.

How to handle it safely

Use it only in a trusted authenticator or local troubleshooting tool, never in a public support ticket, and do not store plain-text secrets in screenshots, notes, or shared chat logs.

Action items

  • Treat otpauth URIs, QR codes, and manual setup keys as secrets.
  • Use local parsing tools when you need to inspect setup data.
  • Rotate the secret if you believe it has been exposed.

Cautions

  • The key is not the same thing as the temporary code you type in.
  • A leaked setup key can outlive the phone that originally generated it.

Related pages

Security How 2FAApp handles secrets, browser-local tools, analytics, advertising scripts, and phishing-resistant guidance. otpauth URI Parser Decode otpauth:// URIs locally to inspect issuer, account, secret, algorithm, digits, and period.

Related questions

Do the tools upload my TOTP secret or QR code? The tools are designed to run in your browser. TOTP secrets, otpauth URIs, QR contents, and generated codes should not be sent to 2FAApp servers. Is 2FAApp an authenticator app? No. 2FAApp helps you choose, set up, test, troubleshoot, and recover 2FA. It does not provide a mobile app that stores your live account secrets.