How QR Code Login Works: Token‑Based Authentication Explained

QR code login is now common on PC platforms such as WeChat and Alipay, and this article explains the underlying implementation logic.

The discussion is organized into three main topics:

What a QR code is.

Mobile token‑based authentication mechanisms.

The principle of QR code login.

1. What is a QR code

QR code, also known as a two‑dimensional barcode, stands for Quick Response. It can store more information than traditional one‑dimensional barcodes, including numbers, strings, images, and files.

Unlike a barcode that represents only a numeric string, a QR code can embed data such as www.baidu.com, allowing a user to retrieve the URL by scanning.

2. Mobile token‑based authentication

Token‑based authentication differs from traditional username‑password verification and offers higher security because credentials are not repeatedly transmitted.

The process works as follows: the first login requires username, password, and device information; the server validates the credentials, binds the device to the account, and generates a token that is stored on the server and returned to the mobile client.

The mobile client stores the token locally and uses it for subsequent API calls, always sending the device information alongside the token to mitigate token hijacking.

3. QR code login principle

The complete login flow can be divided into three stages: "awaiting scan", "scanned awaiting confirmation", and "confirmed".

Stage 1 – Awaiting scan : The PC sends a request with its device info to the server, which generates a unique QR‑code ID (similar to a UUID) and associates it with the PC. The QR code is displayed, and the PC starts polling the server for status changes. If the code is not scanned within a timeout, it expires.

Stage 2 – Scanned awaiting confirmation : The mobile device scans the QR code, obtains the QR‑code ID, and sends its login token together with the ID to the server. The server links the token with the QR‑code ID and creates a one‑time token for confirmation. The PC receives the updated status and prompts the user to confirm on the mobile device.

Stage 3 – Confirmed : The mobile client sends the one‑time token to confirm the login. After server verification, the QR‑code status changes to "logged in" and a permanent token is issued to the PC, which then uses this token for subsequent authenticated requests.

The overall mechanism resembles OAuth 2.0 but involves additional token and device binding steps, making the implementation more complex while enhancing security.

Hope this explanation helps your learning or work.