What it does
QRAuth is a drop-in, cryptographically secure identity verification platform that lets users log in (or verify any action) by simply scanning a QR code with their phone. No passwords, no magic links, no SMS codes, no app install required.
It works alongside your existing auth stack (Auth0, Clerk, Firebase, Supabase, etc.) or as a standalone solution. Every QR is cryptographically signed (ECDSA-P256 + post-quantum SLH-DSA), animated ("Living Codes" that rotate every 500 ms to kill screenshots), bound to the exact session, and includes proximity proof so you know the user was physically there. It also adds device trust scoring, 6-signal fraud detection, ephemeral guest access, and full WebAuthn passkey support under one unified identity model.
Who it's for
Developers and product teams who hate auth friction and want passwordless login in <10 minutes.
Anyone using QR codes in the real world (parking, events, hotels, kiosks, payments, ticketing) who needs to stop sticker fraud and fake scans.
Teams building shared-device experiences (kiosks, TVs, public terminals) or high-security flows where phishing and replay attacks are unacceptable.
If you ship QR codes today, digital or physical, QRAuth makes them tamper-proof and instantly verifiable.
Why we built it
Passwords are broken. Magic links are slow and phishable. SMS is SIM-swappable. Passkeys are amazing but don’t work everywhere (shared devices, kiosks, physical products). We started with the physical world problem: fake QR stickers on parking meters and payment terminals were costing businesses millions. The same primitive that makes physical QR codes verifiable turned out to be the cleanest passwordless login method ever, phishing-resistant, works on any phone, and feels magical.
We open-sourced the core (BSL → Apache after 4 years) because we believe authentication infrastructure should be transparent and composable, not another black-box vendor lock-in.
QRAuth is a drop-in, cryptographically secure identity verification platform that lets users log in (or verify any action) by simply scanning a QR code with their phone. No passwords, no magic links, no SMS codes, no app install required.
It works alongside your existing auth stack (Auth0, Clerk, Firebase, Supabase, etc.) or as a standalone solution. Every QR is cryptographically signed (ECDSA-P256 + post-quantum SLH-DSA), animated ("Living Codes" that rotate every 500 ms to kill screenshots), bound to the exact session, and includes proximity proof so you know the user was physically there. It also adds device trust scoring, 6-signal fraud detection, ephemeral guest access, and full WebAuthn passkey support under one unified identity model.
Who it's for
Developers and product teams who hate auth friction and want passwordless login in <10 minutes.
Anyone using QR codes in the real world (parking, events, hotels, kiosks, payments, ticketing) who needs to stop sticker fraud and fake scans.
Teams building shared-device experiences (kiosks, TVs, public terminals) or high-security flows where phishing and replay attacks are unacceptable.
If you ship QR codes today, digital or physical, QRAuth makes them tamper-proof and instantly verifiable.
Why we built it
Passwords are broken. Magic links are slow and phishable. SMS is SIM-swappable. Passkeys are amazing but don’t work everywhere (shared devices, kiosks, physical products). We started with the physical world problem: fake QR stickers on parking meters and payment terminals were costing businesses millions. The same primitive that makes physical QR codes verifiable turned out to be the cleanest passwordless login method ever, phishing-resistant, works on any phone, and feels magical.
We open-sourced the core (BSL → Apache after 4 years) because we believe authentication infrastructure should be transparent and composable, not another black-box vendor lock-in.