How QR Code Login Works: From Scanning to Secure Token Authentication

QR codes appear in many everyday scenarios such as supermarket payments, system logins, and app downloads. Understanding their underlying technology helps developers choose appropriate solutions and enables non‑technical users to recognize legitimate codes and avoid scams.

QR Code Login Essence

QR code login is essentially an authentication method that performs two tasks: telling the system who you are and proving it.

Tell the system who I am

Prove to the system who I am

For example, in password login the username tells the system who you are, while the password proves it. In QR code login, the mobile app, already logged in, confirms the identity without transmitting a password.

Understanding QR Codes

A QR code stores a string (not limited to numbers) that can represent any data. Online tools can convert strings or URLs into QR codes and decode them back.

System Authentication Mechanism

After the first successful login, the app stores a token rather than the password. The token contains the account ID, device ID, and device type, and is used for subsequent API calls.

const token = {
  acountid: '账号ID',
  deviceid: '登录的设备ID',
  deviceType: '设备类型，如 iso,android,pc......'
}

The server generates a token that maps to a data structure binding the account and device. The client saves this token locally and includes it with each request. The server validates the token by comparing the stored device information with the device info sent by the client.

General Steps of QR Code Login

Overall Flow

Before scanning, the PC displays a QR code while the mobile app is already logged in.

The user scans the QR code with the mobile app, which shows a "Scanned, please confirm on phone" prompt.

The user confirms on the phone, and the PC login succeeds.

The QR code transitions through three states: waiting for scan, scanned awaiting confirmation, and confirmed.

QR Code Preparation

The PC requests the server to generate a QR code for login, sending its device information.

The server creates a unique QR‑code ID and binds it to the PC’s device info.

The server returns the QR‑code ID to the PC.

The PC generates a QR code that embeds this ID.

The PC continuously polls the server for the QR‑code status.

Scanning State Transition

The mobile app scans the QR code and extracts the QR‑code ID.

The app sends the mobile identity and QR‑code ID to the server.

The server binds the identity to the QR‑code ID and returns a temporary token to the mobile app.

The PC, polling the status, updates the QR‑code display to "scanned".

The temporary token is a one‑time credential used to ensure the subsequent confirmation comes from the same mobile device.

Status Confirmation

The mobile app shows a confirmation dialog; the user confirms, and the app sends the temporary token to the server.

The server generates a login token for the PC based on the bound account and device information.

The PC receives the "confirmed" status and the login token via its polling request.

The PC uses this token to access server resources, completing the login.

Summary

QR code login achieves authentication by first telling the system who you are (binding the account to a QR‑code ID) and then proving it (using a temporary token and final confirmation), all without transmitting passwords.

The process relies on a token‑based authentication mechanism and the state changes of the QR code to securely log in across PC, web, and mobile platforms.