Quick Response (QR) Code Decoder

QR Code Decoder

{{ sourceModeLabel }} {{ primaryResult && primaryResult.type ? primaryResult.type : 'Unknown payload' }} {{ primaryPayloadRisk.label }} Decoded {{ validCount }} Invalid {{ invalidCount }} Try harder Inverted scan

QR image file:

Use one PNG, JPG, WebP, GIF, or SVG image. Nothing is uploaded by the decoder.

{{ fileThumbs.length ? 'Image ready for decode' : 'Drop QR image here' }}

Image URL or data URI:

Use this when the QR image is already available as a direct URL, data URI, or base64 string.

Ignored {{ ignoredItems }} extra input item(s). This tool processes one item at a time.

Try harder:

Runs extra scale passes; leave off for clear screenshots and generated QR images.

Try inverted colors:

Leave off for normal dark modules on a light background.

Rotation attempts:

Select only likely angles to keep scan attempts fast; keep 0° for normal screenshots.

Downscale cap:

Use 0 for original size; try 1024 or 1600 px for huge screenshots.

Image load timeout:

Use 0 for no timeout; remote image loads usually fit in 3000-8000 ms.

#	Source	Status	Type	Safety	Content	Bytes	Format	Charset	EC	ZX	Bits	Raw	Angle°	Scale	Inv	WxH	Open	Copy
{{ row.idx }}	{{ row.sourceLabel }}	{{ row.valid ? 'OK' : (row.error \|\| 'Error') }}	{{ row.derivedType \|\| '—' }}	{{ row.safetyLabel }}	{{ row.text \|\| '—' }}	{{ row.bytes \|\| '—' }}	{{ row.format \|\| '—' }}	{{ row.charset \|\| '—' }}	{{ row.ec \|\| '—' }}	{{ row.zx \|\| '—' }}	{{ row.bits !== '' ? row.bits : '—' }}	{{ row.raw !== '' ? row.raw : '—' }}	{{ row.angle !== '' ? row.angle : '—' }}	{{ row.scale !== '' ? row.scale : '—' }}	{{ row.inv \|\| '—' }}	{{ row.wh \|\| '—' }}	—

Check	Status	Detail	Suggested action	Copy
{{ row.label }}	{{ row.status }}	{{ row.detail }}	{{ row.action }}

Field	Value	Copy
{{ row.label }}	{{ row.value }}

Trace Field	Value	Copy
{{ row.label }}	{{ row.value }}

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

QR codes turn printed signs, product labels, payment prompts, tickets, login screens, and app setup flows into a small machine-readable handoff. The square symbol is only the carrier. The useful question is what payload the symbol contains and what a phone, browser, authenticator app, or operating system will try to do with that payload.

A QR symbol can hold plain text, a web link, a Wi-Fi setup string, a contact card, a map coordinate, an email draft, an SMS action, a phone number, or an OTP URI for authenticator setup. Those formats feel similar when they are printed as black and white modules, but they carry very different consequences. A menu link might only open a page. A Wi-Fi string can reveal a network password. An OTP URI can contain account provisioning material that should be treated like a secret.

Symbol: The visible QR square, including finder patterns, modules, quiet zone, and error-correction data.
Payload: The text recovered from the symbol, such as a URL, Wi-Fi string, vCard, OTP URI, or plain note.
Action: What another app may offer after reading the payload, such as opening a link, joining a network, importing a contact, or starting a message.

QR image pixels pass through decode retries before the recovered payload is reviewed.

Image quality changes whether a QR code can be read. A clean screenshot with enough quiet zone is usually easier than a tilted photo with glare, blur, compression artifacts, or a cropped edge. Error correction lets many QR symbols survive dirt or damage, but it is not a safety feature. It helps recover text from imperfect modules; it does not prove that a printed sticker, email attachment, parking-meter code, or delivery message is legitimate.

The important split is readability versus trust. A decoder can slow the process down by showing the payload before another app acts on it. The final judgment still depends on the context: where the code appeared, whether the destination is expected, and whether the decoded text contains credentials, account setup data, private hosts, lookalike domains, or device actions.

How to Use This Tool:

Start with the cleanest single image source you have, then add retry options only when the first decode does not find a payload.

Use QR image file for a screenshot, downloaded image, photo, PNG, JPG, WebP, GIF, or SVG. The preview should show one selected image with its filename, size, and dimensions.
Use Image URL or data URI when the QR image is already available as a direct image link, a data:image value, or a long raw base64 image string. A normal web page URL will not work unless it exposes image pixels.
Choose Decode QR. The summary should move from ready state to a payload type or a decoded count, and the Decoded Payloads tab should show Status, Type, Safety, Content, byte length, and scan details.
Check Payload Safety Brief before opening a link, importing an OTP URI, joining a Wi-Fi network, adding a contact, or starting a phone, email, SMS, or map action.
Open Payload Breakdown for parsed URL host and path fields, Wi-Fi SSID and security values, OTP labels, or contact fields when the payload format supports them.
If the result says no QR was found, open Advanced. Add likely Rotation attempts for sideways photos, enable Try harder for small or blurred images, and use Try inverted colors for light-on-dark symbols.
Use Downscale cap for very large screenshots and Image load timeout for slow remote images. The Decode Trace tab shows the selected angles, scale passes, inversion modes, attempt budget, winning angle, scale, raster size, character set, and error-correction level when available.

The decoder processes one item at a time. Extra dropped files, pasted images, or extra text lines are ignored, so repeat the run with a different source when you need to compare several QR images.

Interpreting Results:

OK means the symbol produced payload text under the selected image settings. It does not mean the destination is safe, the account label is correct, the Wi-Fi credentials should be shared, or the code belongs to the sign or message where you found it.

QR decode result fields and review cues
Result field	What it tells you	What to verify
Status	Whether payload text was recovered or an image-loading or scan error occurred.	If decoding failed, use a sharper crop, direct file input, likely rotations, or inverted search before trusting the image as unreadable.
Type	A derived label such as URL, Email, Phone, SMS, Geo, OTP, WiFi, MeCard, vCard, URI, or Text.	Treat the label as triage. Read the actual Content field before taking action.
Safety	A local warning cue for credential-bearing URLs, HTTP links, private hosts, punycode, short links, OTP setup, Wi-Fi secrets, device actions, or plain text.	A quiet safety label is not approval. Compare the payload with the physical source or message context.
Payload Breakdown	Parsed fields for common formats, including URL scheme, host, path, query, Wi-Fi fields, OTP issuer, and contact fields.	Confirm the host, account label, SSID, recipient, or contact value before opening or importing anything.
Decode Trace	The search settings and winning frame details that produced the read.	A payload that appears only after heavy retries may deserve a cleaner capture before you share evidence or make a decision.

For links, read the host before the path and query. Short-link services, punycode hostnames, embedded usernames or passwords, non-HTTPS links, and private network names deserve extra caution because they can hide the destination or reveal that the QR code was intended for a specific network.

Technical Details:

QR code symbology is specified by ISO/IEC 18004. A symbol is built from modules arranged on a square grid, with finder patterns for orientation, format information, masking, encoded data, and Reed-Solomon error correction. The decoder starts from rendered pixels, so the symbol must survive the camera, screenshot, compression, scaling, color contrast, and browser image-loading path before any payload can be recovered.

The visible square does not declare intent. The recovered text determines the practical meaning: a URL asks for destination review, a Wi-Fi payload can carry an SSID and password, an OTP URI can provision an authenticator secret, and a vCard or MeCard can import personal contact details. That separation is why payload review is separate from scan success.

Transformation Core:

QR image decoding stages
Stage	Rule	Result surfaced
Source selection	Use the first local image, pasted image, direct image URL, data URI, or raw base64 image string.	Extra input items are counted as ignored.
Image loading	The source must load as an image and expose readable pixels. Remote images can fail because of timeout, network errors, or blocked pixel access.	Failures appear as decode errors before payload classification begins.
Frame preparation	The longest edge may be capped, then the image is tested across selected rotation angles, scale passes, and normal or inverted polarity.	The trace records the attempt budget and winning frame when a read succeeds.
Payload recovery	The first successful QR read becomes the primary result for the source.	Decoded text, byte length, format, character set, error-correction level, raw length, and raster size appear when available.
Payload classification	Recognized prefixes and structured text patterns assign a type and safety cue.	Payload tables and JSON output are built from the recovered text.

Frame Search Core:

The retry count is controlled by the selected angles, extra scale passes, and color polarity modes. With no downscale cap, the base scale is 1. With a positive cap, the longest image edge is reduced only when it is larger than the cap.

\begin{array}{lcl} base scale & = & \{\begin{cases} 1 & when cap is 0 \\ \min (1, \frac{cap}{\max (width, height)}) & when cap is positive \end{cases} \\ attempt budget & = & angle count \times scale pass count \times polarity count \end{array}

Default settings test one angle, one scale pass, and normal dark-on-light polarity. Try harder adds two smaller scale passes after the base raster. Try inverted colors adds a light-on-dark polarity pass. Selecting 0°, 90°, 180°, and 270° multiplies the attempt budget by four.

Payload Rule Core:

QR payload classification and safety cues
Payload pattern	Displayed type	Safety cue
`http://`, `https://`, `ftp://`, or `www.`	URL	Flags credential fields, HTTP, private hosts, punycode, short-link hosts, and long query strings.
`mailto:`, `tel:`, `smsto:`, or `geo:`	Email, Phone, SMS, or Geo	Warns that another app may offer a device action.
`otpauth:`	OTP	Marks the payload as sensitive because authenticator setup can expose account secrets.
`WIFI:`	WiFi	Marks possible network credentials and extracts SSID, security type, and hidden-network status when present.
`MECARD:` or `BEGIN:VCARD`	MeCard or vCard	Treats names, phone numbers, email addresses, and organizations as personal data to review before import.
Other scheme-like text or plain text	URI or Text	Shows copy-oriented review cues rather than an open-link action.

The result is deterministic for the same image pixels and settings. It does not expand redirects, fetch a link destination, validate Wi-Fi credentials, enroll an authenticator app, confirm a contact, or prove that a QR sticker was placed by the organization named nearby.

Privacy Notes:

Local files and pasted screenshots are read in the browser, and the page does not need a server-side upload step for those images. A direct image URL is different: your browser requests that image from its host, and the host can see the request.

OTP URI payloads can contain account setup secrets. Do not paste their decoded text into tickets, chats, or screenshots unless that is allowed.
Wi-Fi QR payloads may contain a network password. Share the decoded text only with intended network users.
Credential-bearing URLs and private hosts can expose access details even before the destination is opened.

Worked Examples:

Poster link check. A restaurant sign decodes with Status as OK, Type as URL, and Content as https://example-menu.test/spring. The Payload Breakdown host and path match the printed domain, so the link is at least consistent with the sign before you open it.

Short-link warning. A parking sticker decodes to https://bit.ly/park-pay. Safety reports Short link, and Payload Safety Brief recommends verifying the destination. Use the official parking operator address or posted app name before entering payment details.

Router sticker review. A home router image returns Type as WiFi. Payload Breakdown shows the SSID and Wi-Fi security value, while Payload Safety Brief marks the handoff as credential-sensitive. Compare the SSID with the router label before sharing the decoded string.

Failed photo recovery. A sideways dark-mode screenshot first returns No QR found. Adding 90° under Rotation attempts and enabling Try inverted colors produces Status as OK. The Decode Trace winning angle and winning inversion explain why the original default pass failed.

Authenticator caution. An image from an account setup page decodes with Type as OTP. The issuer and label may appear in Payload Breakdown, but the payload can still contain a secret. Keep the decoded text private unless you are intentionally transferring that authenticator setup.

FAQ:

Can it decode more than one QR image at once?

No. It uses the first usable image file or first non-empty text source and counts extra items as ignored.

Why did a web link to an image fail?

The URL must load as an image and expose pixels to the browser. A normal page URL, blocked remote image, timeout, or pixel-access restriction can fail before QR scanning begins.

Does OK mean the QR code is safe?

No. OK only means payload text was recovered. Use Safety, Payload Breakdown, and the source context before opening or importing anything.

Why are some trace fields blank?

Some successful reads expose fewer supporting details. The payload text can still be valid even when character set, error-correction level, bit count, or raw length is unavailable.

What should I try after No QR found?

Use a sharper crop or local file first. Then add likely Rotation attempts, enable Try harder, or test Try inverted colors for light-on-dark symbols.

Can it read Micro QR codes?

It is aimed at ordinary QR images. Very small, Micro QR, damaged, cropped, or low-contrast symbols may fail depending on scanner support and image quality.

Glossary:

Module: One dark or light square in the QR grid.
Quiet zone: The clear margin around the QR symbol that helps scanners separate the code from nearby graphics or text.
Payload: The recovered text carried by the QR symbol.
Error correction: Redundant QR data that can help recover text when some modules are dirty, damaged, blurred, or missing.
Data URI: An image encoded directly inside a text string, usually beginning with data:image.
Punycode: An ASCII encoding for internationalized domain names that can make lookalike hostnames harder to spot.
OTP URI: A one-time-password setup string that can include issuer, label, and authenticator secret data.

References:

ISO/IEC 18004:2024 QR code bar code symbology specification, International Organization for Standardization, 2024-08.
Information capacity and versions of the QR Code, DENSO WAVE.
Error correction feature, DENSO WAVE.
Scammers hide harmful links in QR codes to steal your information, Federal Trade Commission, December 6, 2023.