Understanding QR Code Login: Principles, Token Authentication, and Implementation Steps

QR code login is widely used in everyday scenarios such as shopping, dining, and public transport, and it serves as a convenient authentication method that both tells the system who the user is and proves the user's identity without requiring passwords.

The core idea is that the mobile app, already logged in, scans a QR code displayed on a PC or web client; the scan transmits the user's account information to the server, which then generates a token that authenticates the PC session.

QR codes are two‑dimensional barcodes that can encode arbitrary strings or URLs, unlike traditional one‑dimensional barcodes that only store numeric identifiers. Generating and decoding QR codes can be done with online tools or libraries.

Authentication relies on a token mechanism: after a successful username/password login, the server binds the account ID, device ID, and device type into a data structure and issues a token. The token is stored client‑side and presented on subsequent API calls. Example token structure:

const token = {
  acountid: '账号ID',
  deviceid: '登录的设备ID',
  deviceType: '设备类型，如 iso,android,pc......'
}

During QR code login, the process can be divided into four phases:

Preparation: The PC client requests the server to create a QR code ID and binds it to the PC's device information; the server returns the ID, which the PC renders as a QR code.

Scanning: The mobile app scans the QR code, extracts the ID, and sends the user's identity plus the ID to the server; the server binds the identity to the ID and returns a temporary token to the mobile app while the PC polls for status changes.

Confirmation: The user confirms the login on the mobile app, sending the temporary token back to the server; the server validates the token, generates a permanent login token for the PC, and notifies the PC of the successful login.

Completion: The PC receives the login token and can now access protected resources as the authenticated user.

The article also notes that the same principles apply to third‑party QR code logins (e.g., WeChat, QQ) and that security relies on the uniqueness of device information and the one‑time nature of temporary tokens.