How QR Code Login Works: Token Authentication and Secure Scanning Explained

QR codes are ubiquitous in daily life, from supermarket payments to system logins and app downloads. Understanding their underlying technology helps developers choose appropriate solutions and enables non‑technical users to recognize legitimate codes and avoid scams.

Essence of QR Code Login

QR code login is essentially an authentication method that performs two tasks: telling the system who you are and proving your identity.

Identify the user to the system.

Prove the user's identity to the system.

For example, a password login uses the username to identify and the password to prove identity; a mobile verification code uses the phone number to identify and the code to prove.

Understanding QR Codes

Before diving into login, it’s useful to distinguish QR codes from one‑dimensional barcodes. Barcodes store numeric product IDs, while QR codes can encode any string, making them a versatile representation of data. Online generators (e.g., CLI.im) can convert text, URLs, or files into QR codes, and they can also decode uploaded images.

System Authentication Mechanism

Modern mobile apps use token‑based authentication. After the first password login, the server issues a token that binds the account ID, device ID, and device type. The client stores this token locally and includes it in subsequent API requests.

const token = {
  accountid: '账号ID',
  deviceid: '登录的设备ID',
  deviceType: '设备类型，如 iso,android,pc......'
};

The server can retrieve the associated account and device information from the token, compare it with the current device data, and grant or deny access accordingly.

General Steps of QR Code Login

Preparation

The PC client requests the server to generate a QR code and sends its device information.

The server creates a unique QR‑code ID and binds it to the PC device.

The server returns the QR‑code ID to the PC, which renders the QR code containing this ID.

The PC continuously polls the server for the QR‑code status.

Scanning Phase

The user scans the QR code with a logged‑in mobile app, extracting the QR‑code ID.

The mobile app sends its identity information and the QR‑code ID to the server.

The server binds the mobile identity to the QR‑code ID and returns a temporary token to the mobile app.

The PC, still polling, receives the status change and updates the UI to “scanned”.

Confirmation Phase

The mobile app displays a confirmation prompt; upon user approval, it sends the temporary token to the server.

The server generates a final login token for the PC based on the bound account and device information.

The PC receives the “confirmed” status and the login token, completing the authentication.

This flow ensures that the PC never receives the user's password; instead, it obtains a token that is valid only for the authenticated device.

Summary

QR code login relies on two core concepts: the QR code’s unique identifier and a token‑based authentication mechanism. By linking the QR‑code ID with device information and using temporary tokens during the scan‑confirm process, systems achieve secure, password‑less login across multiple platforms.