How QR Code Login Works: From Token Authentication to Seamless Mobile Verification
This article explains the technical principles behind QR code login, detailing how a token‑based authentication system identifies the user, the step‑by‑step flow from QR code generation on a PC to mobile scanning, confirmation, and final token issuance for secure access.
Background
QR codes appear in many daily scenarios such as payments, system logins, and app downloads. Understanding their underlying technology helps developers choose appropriate solutions and enables non‑technical users to recognize legitimate QR codes.
Core Concept of QR Code Login
QR code login is essentially an authentication method that performs two tasks:
Tell the system who I am.
Prove to the system that I am who I claim to be.
Token‑Based Authentication
When a user logs in with a username and password, the client sends device information to the server. After successful verification, the server creates a data structure binding the account ID, device ID, and device type, and generates a token that maps to this structure. The client stores the token locally and includes it in subsequent API calls. The server validates the token by comparing the stored device information with the device data sent by the client.
const token = {
accountid: '账号ID',
deviceid: '登录的设备ID',
deviceType: '设备类型,如 iso,android,pc......'
}Step‑by‑Step QR Code Login Process
1. QR Code Preparation (PC Side)
PC requests the server to generate a QR code for login, sending its device information.
Server creates a unique QR code ID and binds it to the PC’s device info.
Server returns the QR code ID to the PC.
PC renders the QR code containing the ID.
PC continuously polls the server (e.g., every second) to check the QR code’s status.
2. Scanning State Transition (Mobile Side)
User opens the mobile app (already logged in) and scans the PC’s QR code, extracting the QR code ID.
Mobile calls a server API, sending its identity information together with the QR code ID.
Server binds the mobile identity to the QR code ID and returns a temporary token to the mobile.
Because the PC is polling, it receives a status change to “scanned”.
3. Status Confirmation (Mobile Confirmation)
Mobile displays a confirmation prompt; the user taps confirm, sending the temporary token to the server.
Server generates a final token for the PC, based on the bound account and device information.
PC’s polling detects the “confirmed” status and receives the final token.
PC uses this token to access protected resources.
Key Details
The QR code may contain only the unique ID or a URL that includes the ID.
The temporary token is single‑use; it ensures that the scan and confirmation steps originate from the same mobile device.
If the user cancels the confirmation, the login flow must handle the abort gracefully (not covered in detail).
Conclusion
QR code login combines token‑based authentication with stateful QR code status changes to securely transfer a user’s identity from a logged‑in mobile device to a PC or web client, without exposing passwords.
Architect
Professional architect sharing high‑quality architecture insights. Topics include high‑availability, high‑performance, high‑stability architectures, big data, machine learning, Java, system and distributed architecture, AI, and practical large‑scale architecture case studies. Open to ideas‑driven architects who enjoy sharing and learning.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.