How QR‑Code Login Works: From Token Generation to Authentication

QR‑Code Login Essence

QR‑code login is essentially an authentication method that performs two tasks: (1) telling the system who the user is, and (2) proving the user’s identity. Unlike password login, the client never transmits the password; instead it uses a token that represents the user‑device pair.

Understanding QR Codes

A QR code stores arbitrary strings, not just numbers like a barcode. It can represent a simple text, a URL, or an identifier. Online generators (e.g., the popular "CaoLiao" QR‑code service) can convert any string into a QR image, and the same service can decode the image back into the original string.

System Authentication Mechanism

Modern mobile apps use a token‑based authentication scheme. After the first password login, the server issues a { accountId, deviceId, deviceType } token that the client stores locally. Every subsequent API request includes this token together with device information. The server validates the token by matching the stored device data; if the device info differs, the request is rejected.

const token = {
  accountId: '账号ID',
  deviceId: '登录的设备ID',
  deviceType: '设备类型，如 iOS, Android, PC...'
};

General Steps of QR‑Code Login

Before scanning, the PC client is logged in and displays a QR code that encodes a unique QR‑code ID.

The mobile app, already logged in, scans the QR code and receives the QR‑code ID.

The mobile app sends the QR‑code ID and its identity information to the server, which binds the ID to the user account and generates a temporary token.

The PC client polls the server for the QR‑code status. When the server records the scan, the status changes to "scanned, awaiting confirmation".

The user confirms on the mobile device; the server then creates a permanent login token for the PC client.

The PC client receives the token via the next poll and completes the login.

QR‑Code Preparation

When the PC requests a QR code, it sends its device information to the server. The server generates a unique QR‑code ID, binds it to the PC’s device data, and returns the ID. The PC then renders a QR image that contains this ID (or a URL that includes the ID).

Scanning State Switch

After the mobile app scans the QR code, it sends the ID and user info to the server, which updates the QR‑code status to "scanned" and generates a temporary token for the mobile side. The PC, still polling, sees the status change and displays "scanned, awaiting confirmation".

Status Confirmation

When the user confirms on the mobile device, the mobile app sends the temporary token back to the server. The server then creates the final login token for the PC, marks the QR‑code status as "confirmed", and the PC receives the token on its next poll, completing the login.

Summary

The QR‑code login flow combines a token‑based authentication system with QR‑code state transitions. The PC generates a QR‑code ID, the mobile app scans it and binds the ID to the user account, a temporary token ensures the scan and confirmation come from the same device, and finally the PC receives a permanent token to access protected resources.