Understanding QR Code Login and Token-Based Authentication

This article explains the principle and implementation of QR‑code based login, a common authentication method used by many large tech companies.

Login authentication consists of two tasks: telling the system who you are and proving it. QR‑code login achieves both by leveraging a token mechanism.

1. QR‑code login essence – The mobile app, already logged in, scans a QR code displayed on a PC/Web page. The scan confirms the same account on both devices, allowing the PC to log in without password entry.

2. Token mechanism – After a successful username/password login, the server binds the account with a device identifier and issues a token:

const token = { acountid: '账号ID', deviceid: '登录的设备ID', deviceType: '设备类型，如 iso,android,pc......' };

The client stores this token and sends it with every API request. The server validates the token by matching the stored device information.

3. QR‑code login workflow

PC requests a QR‑code ID from the server, which binds the ID to the PC’s device info.

The server returns the ID; the PC generates a QR code containing this ID.

The mobile app scans the QR code, obtains the ID, and sends its authenticated user info together with the ID to the server.

The server creates a temporary token for the mobile side and updates the QR‑code status to “scanned”.

The user confirms on the mobile app; the server generates a permanent token for the PC and returns it.

During this process, the mobile app never transmits the password; authentication relies on the existing session token and the unique device‑ID binding, which mitigates credential leakage.

The article also notes that QR‑code content may be a simple ID or a URL containing the ID, and that cancellation handling is left as an exercise.

In summary, QR‑code login combines token‑based authentication with stateful QR‑code IDs to securely transfer login credentials from a trusted mobile device to a PC or web client.