How QR Code Login Works: Token Authentication Explained

This article explains the principle and implementation of QR code login, a common interview question in major tech companies.

QR Code Login Essence

QR code login is essentially an authentication method that must both tell the system who you are and prove it.

Identify the user (e.g., account name or phone number).

Prove the identity (e.g., password, verification code, or QR scan confirmation).

During QR login, the mobile app, already logged in, scans the PC‑generated QR code; after user confirmation, the account is logged in on the PC.

Understanding QR Codes

A QR code stores arbitrary strings, not just numbers like a barcode. Online tools can generate and decode QR codes.

System Authentication Mechanism

After the first password login, the client receives a token bound to the account and device, which is used for subsequent accesses without re‑entering credentials.

const token = {
  acountid: '账号ID',
  deviceid: '登录的设备ID',
  deviceType: '设备类型，如 iso,android,pc......'
}

The token maps to the stored account‑device data; each request includes the token and device info for verification.

General Steps of QR Code Login

Overall Flow

Before scanning, the mobile app is logged in; the PC displays a QR code and polls its status.

The user scans the QR code; the PC shows “scanned, awaiting confirmation”.

The user confirms on the mobile app, and the PC logs in successfully.

QR Code Preparation

PC requests the server to generate a QR‑code ID and binds it to the PC device.

Server returns the ID; PC renders the QR code containing the ID.

PC continuously polls the server for the QR code status.

Scanning State Transition

Mobile scans the QR code, extracts the ID, and sends its identity plus the ID to the server.

Server binds the identity to the ID and returns a temporary token to the mobile.

PC receives the updated status (“scanned”).

Confirmation State

Mobile shows a confirmation UI; upon user approval, it sends the temporary token to the server.

Server generates the final login token for the PC based on the bound account and device.

PC receives the “confirmed” status and the login token, completing authentication.

Summary

QR code login works by combining QR‑code‑based ID exchange with token‑based authentication, allowing a logged‑in mobile device to securely authenticate a PC session without transmitting passwords.