How QR Code Login Works: The Mechanism Behind Douyin’s Scan‑to‑Login
This article breaks down the QR code login process used by Douyin, explaining how the system identifies the user, proves their identity through a token‑based authentication flow, and details each step from QR generation to final confirmation on the PC side.
1. Essence of QR Code Login
QR code login is fundamentally an authentication method that performs two tasks:
Tell the system who I am.
Prove to the system that I am who I claim to be.
For example, a username‑password login tells the system the identity with the username and proves it with the password; a mobile‑SMS login tells the system the identity with the phone number and proves it with the verification code. QR code login achieves the same two tasks without the user entering a password.
2. Understanding QR Codes
A QR code is similar to a barcode but can store any string, not just numbers. Online tools (e.g., "草料二维码") can convert a string or URL into a QR image and decode it back. The article shows a generated QR image and the corresponding input field.
3. Token‑Based Authentication Mechanism
After a user logs in once with username and password, the client receives a token that represents the account‑device binding. The token is a special string that the server can use to retrieve the associated account and device information.
const token = {
accountid: '账号ID',
deviceid: '登录的设备ID',
deviceType: '设备类型,如 iso,android,pc......'
};The client stores this token locally and includes it (along with device information) in every API request. The server looks up the token, compares the stored device info with the request’s device info, and grants or denies access accordingly. Because the token is tied to a specific device, stealing the token alone is insufficient without the matching device information.
4. General Steps of QR‑Code Login
Before scanning, the PC client is logged in and displays a QR code awaiting a scan.
The user opens the mobile app, scans the QR code, and the app prompts "Scanned, please confirm on the phone".
The user confirms on the phone; the PC login succeeds.
5. Detailed Flow
PC requests the server to generate a QR‑code ID and sends its device information.
The server creates a unique QR‑code ID, binds it to the PC’s device info, and returns the ID.
PC renders a QR image that contains the ID.
PC polls the server (e.g., every second) to obtain the current QR‑code status.
When the mobile app scans the QR, it extracts the ID and calls a server API, sending the mobile’s identity and the QR‑code ID.
The server binds the mobile identity to the QR‑code ID and returns a temporary one‑time token to the mobile.
Because PC is polling, it receives a status change to "Scanned".
After the user confirms on the mobile, the mobile sends the temporary token to the server to indicate confirmation.
The server generates the final login token for the PC, based on the QR‑code ID’s bound account and device information.
PC’s next poll reports the status "Confirmed" and provides the final token, which the PC uses to access protected resources.
6. Summary
The QR‑code login process combines the two authentication tasks (identity declaration and proof) with a token‑based mechanism. The QR code carries a unique ID that links the PC device to the user’s account. Scanning, temporary token issuance, and user confirmation transition the QR state from "Waiting" to "Scanned" to "Confirmed", after which the PC receives a permanent login token.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Java Architect Handbook
Focused on Java interview questions and practical article sharing, covering algorithms, databases, Spring Boot, microservices, high concurrency, JVM, Docker containers, and ELK-related knowledge. Looking forward to progressing together with you.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
