Understanding QR Code Login: Principles, Token Authentication, and Implementation Steps

QR codes are widely used in daily life for payments, access, and information retrieval. Beyond their surface convenience, they can serve as a secure login mechanism that authenticates a user without transmitting passwords.

The essence of QR code login is a two‑step authentication process: first, the client tells the system who it is, and second, it proves its identity. The QR code contains a unique identifier (QR ID) that is bound to the PC device.

When a user initiates login on a PC, the server generates a QR ID, binds it to the device, and returns it. The PC renders a QR code embedding this ID and continuously polls the server for status changes.

On the mobile side, the already‑logged‑in app scans the QR code, extracts the QR ID, and sends the user's identity together with the ID to the server. The server creates a temporary token linking the mobile user to the QR ID and notifies the PC that the code has been scanned.

The user then confirms the login on the mobile device. This confirmation, together with the temporary token, allows the server to generate a permanent token for the PC. The PC receives this token via the polling response and can subsequently access protected resources.

The token structure typically looks like:

const token = {
  acountid: '账号ID',
  deviceid: '登录的设备ID',
  deviceType: '设备类型，如 iso,android,pc......'
};

This token is stored locally on the client and sent with each API request. Because the token is bound to both the account and the device, possession of the token alone is insufficient for an attacker without the corresponding device information.

Overall, QR code login combines the uniqueness of QR IDs with a token‑based authentication flow, providing a password‑less, secure login experience across web, PC, and mobile platforms.