QR Code Decoder

About QR Code Decoder

QR Code Decoder reads the data hidden inside a QR (Quick Response) code, the square black-and-white pattern you see on posters, business cards, restaurant menus, packaging, payment screens, and event tickets. You can either upload a photo that contains a QR code or point your device's camera at one, and the tool extracts the text payload, which is most often a URL, but may also be Wi-Fi credentials, a vCard contact, an email, an SMS, a calendar event, geolocation coordinates, or arbitrary text. Decoding happens entirely in your browser using the open-source jsQR library, which implements the ISO/IEC 18004 standard: it locates the three large corner-finder squares, computes the perspective transform, samples the data modules, and runs Reed-Solomon error correction to recover the original bytes even if part of the code is dirty or partially covered. No image data is uploaded to any server, which makes the tool safe for QR codes that may contain personal information such as payment tokens, Wi-Fi passwords or private URLs. Both Version 1 (21 x 21) and the largest Version 40 (177 x 177) QR codes are supported, including all four error-correction levels L / M / Q / H.

What does this QR code decoder do?

It takes either an image you upload or a live camera feed, finds any QR code present in the frame, and prints the original text or URL that was encoded inside it. Under the hood it implements the ISO/IEC 18004 QR specification: it detects the three corner finder patterns, computes a perspective warp to a perfect grid, reads the data modules, applies the format mask, and runs Reed-Solomon error correction (which is what lets QR codes still work when up to about 30 percent of the surface is damaged or covered, depending on the error correction level chosen at encoding time). The decoded payload is most often a URL but can also be Wi-Fi credentials, vCard contacts, email, SMS, geolocation, calendar events, or plain text.

What file types and QR formats are supported?

Any raster image format your browser can decode is accepted: JPG, JPEG, PNG, GIF (first frame), BMP and WebP, plus HEIC on Safari. There is no fixed size limit since nothing is uploaded, but the tool resizes images larger than 1600 pixels on a side for faster decoding. Both Version 1 (21 x 21 modules) and the largest Version 40 (177 x 177 modules) are supported, all four error correction levels (L 7%, M 15%, Q 25%, H 30%), every QR mask pattern, and both the standard byte/UTF-8 mode and Kanji mode. Inverted QR codes (white on black) are also detected automatically with a second pass.

Does the decoder upload my image or use my camera footage?

No. The image you load is drawn onto a Canvas inside the page and decoded by the jsQR library running in your browser's JavaScript engine; the camera tab uses getUserMedia to access the live stream locally and never records or transmits the frames. You can verify this in your browser's Network tab: after the page loads, scanning produces zero outgoing requests with image data. This makes the tool safe for QR codes that hold sensitive material such as Wi-Fi passwords for your home, two-factor-authentication secrets, payment URLs, or boarding passes. The camera permission is required only by your browser to access the device camera; you can revoke it any time in site settings.

Why did decoding fail or return the wrong text?

QR codes are tolerant but not magical. Common failure causes are: extreme angle (more than 45 degrees from perpendicular), motion blur, poor contrast (faded paper, glare on a phone screen), the code occupying less than about 100 pixels on each side in the photo, missing or damaged corner finder squares, and reflections that cut across the data grid. Try a cleaner photo where the code is centered, well lit, in focus, and roughly fills at least a third of the frame. For very small codes in a large photo, crop closer first. Cameras work best when the QR fills most of the viewfinder and the device is held steady for a second or two. If a code returns garbled text, it may be using a non-standard encoding such as Shift-JIS Kanji on a Japanese poster.

Which browsers and devices are supported?

The decoder runs in every modern browser that supports HTML5 Canvas and ES2017 JavaScript: Chrome, Edge, Firefox, Safari, Opera and Samsung Internet, on both desktop and mobile. The camera tab needs the getUserMedia API and requires the page to be served over HTTPS (the WuTools site is), which all modern browsers support. On iOS, the camera works in Safari from version 11 onward. The jsQR library is only about 50 KB compressed, so the tool loads almost instantly even on slow mobile connections. There is no minimum hardware requirement other than enough RAM to hold a single image; a five-year-old phone runs it without issues.

Can the decoder read multiple QR codes in one image at once?

The current implementation reads one QR code per image: it returns the first valid code it detects after the corner finder pass. If you have a sheet with several QR codes, crop and scan them one at a time, or use the camera mode and point at each code in turn. We will consider adding multi-code support in a future update; the underlying jsQR algorithm can be run on overlapping regions to detect multiple codes, but it adds complexity and runtime cost. Note that some advanced 2D barcodes such as Data Matrix, Aztec, MaxiCode and PDF417 use different scanning algorithms and are not handled by a QR-only decoder; for those you would need a more general library.

Is it safe to scan an unknown QR code, and how do I check a QR URL for phishing (quishing)?

Scanning is safe here because everything happens locally and nothing is uploaded; the risk with an untrusted code is what you do AFTER you read it. QR phishing, or quishing, hides a malicious link inside a square that you cannot read with your eyes, so the safe workflow is to decode first and inspect before tapping. This decoder never auto-opens a link: when the payload is a URL it shows you the full destination, the exact host, and the protocol, and runs a quick security check that flags common tricks - a non-HTTPS (unencrypted) link, a raw IP address used instead of a real domain, a punycode 'xn--' domain that may be a homograph look-alike of a trusted brand, and any username or password embedded in the URL (the user:pass@host pattern attackers use to disguise the true host). Read the host carefully, watch for misspellings and extra subdomains like paypal.com.secure-login.example, and only use the explicit Open-link button once you are satisfied. For IT, security and helpdesk staff this turns a poster, email or package label into something you can vet before it ever reaches a browser.

Can it decode Wi-Fi, vCard, otpauth and other structured QR payloads into fields?

Yes. After decoding, the tool classifies the payload and breaks it into readable fields instead of one raw blob. A Wi-Fi code (WIFI:T:WPA;S:MyNetwork;P:secret;H:false;) is parsed into network name (SSID), security type, password and hidden flag, with backslash-escaped characters handled correctly. A contact code (BEGIN:VCARD or MECARD:) is split into name, phone, email, organization and URL. An authenticator code (otpauth://totp/Issuer:account?secret=...) is broken into issuer, account, secret and type so you can read or audit a 2FA seed. It also recognizes mailto: and MATMSG: email, tel: phone numbers, smsto:/sms: messages, geo: latitude and longitude, and BEGIN:VEVENT calendar entries (summary, start, end, location). Anything that does not match a known scheme is shown as plain text. The raw decoded string always remains in the text box so you can copy it verbatim, while the structured table makes long-tail payloads such as a Wi-Fi password or an OTP secret easy to read in the field.