A QR code can carry a web link, your Wi-Fi password, a payment, a contact card, a boarding pass, a vaccine record, a driver's license, a smart-home pairing code, and dozens of other things. Most safety scanners only check web links. We identify and check all of them, in plain language.
Loadingβ¦
For every kind of QR code, we tell you what it is, what's inside it, and whether it's safe to act on, without leaking your personal information back to you in the process.
The QR on a poster, parking meter, or restaurant table. We follow every redirect, name the shortener owner (Bitly, Linktree, TinyURL, branded), and flag look-alike domains and known phishing sites. If the link could change after the QR is printed, we say so, that's how sticker-swap scams work.
The QR your hotel or cafΓ© gives you. We show the network name, security type, and password, and flag fake "Starbucks WiFi" / "Airport Free WiFi" lookalikes that try to trick you into connecting.
Restaurant checkout QRs, market-stall QRs, parking-meter QRs. We show the merchant name, city, country, amount, and currency before you pay, so you can sanity-check that you're paying who you think you're paying. Covers 54 countries: PIX (Brazil), UPI (India), PromptPay (Thailand), PayNow (Singapore), Bizum (Spain), Swish (Sweden), and many more.
Bitcoin, Ethereum, Solana, Lightning Network, Cashu, and more. We validate the address, decode the amount, and warn loudly when a QR asks your wallet to call a smart-contract function (often the start of a drainer scam) rather than do a simple send.
The "save my contact" QR on a business card. Name, phone, email, organization, address, social profiles, birthday, notes, surfaced as a structured card you can add to your phone in one tap. Lookalike names against well-known brands get flagged.
Event QRs from wedding sites, conference badges, ticketing flows. Title, start, end, recurrence (weekly, monthly), location, organizer, attendees, all decoded so you see exactly what's being added to your calendar before tapping Accept.
Tap-to-call, tap-to-text, tap-to-email QRs. We flag premium-rate phone numbers (the kind that bill you per minute), international short-codes used for fraud, and prefilled email subjects that try to trick you into sending sensitive info.
The QR your bank, Google, or work app shows you when setting up an authenticator. We decode the issuer and account so you can confirm what you're enrolling, and we warn loudly when someone tries to share their entire Google Authenticator bundle (one QR holding every 2FA code they have).
The QR your laptop shows that asks your phone to finish a passkey sign-in. We warn loudly if you weren't the one who started a sign-in, scanning a stranger's QR signs them into your account. Also catches the same trick on WhatsApp Web, Telegram, Microsoft 365, Google, GitHub, AWS, Steam, Discord, Slack, and Apple ID.
The barcode on the back of US and Canadian driver's licenses (the one bars and clubs scan), plus mobile driver's licenses from state DMVs and EU Digital ID Wallet. We surface the issuer, the kind of credential, and what attributes it carries, and we explicitly never echo the holder's name, address, or birth date.
Read: what does the barcode on the back of a driver's license say?
SMART Health Cards (vaccine records, prescriptions, lab results) and EU Digital COVID Certificates. We identify what the credential is and who issued it, but we deliberately don't decode patient name, date of birth, or any medical details. Your wallet app is the right place to view those; not a public scanner page.
The QR on your airline boarding pass. Flight number, route, date, seat, sequence, all decoded so you can verify the pass. We mask the booking reference (PNR) by default because anyone with your name plus PNR can access your booking. Don't post boarding-pass photos publicly.
Matter and Apple HomeKit pairing QRs you scan to add a new device to your home. We decode vendor, product, setup passcode, and the network types it'll try to join, so a swapped sticker can't quietly enroll a device on a network you don't control.
The QR you scan to install a phone plan. We surface the carrier server it'll talk to, the activation code, and whether a confirmation code is required. Loud warning that an installed eSIM can intercept SMS, which includes any 2FA codes you receive via text.
WireGuard config QRs. We show the server address, allowed IPs, and DNS, and flag full-tunnel configurations that would route every byte of your traffic through someone else's server. The private key in the QR is masked by default.
GS1 Digital Link QRs on packaged goods, the format that will replace traditional barcodes for everyday products by 2027. We decode the product code (GTIN), batch / lot number, expiry date, and serial, so you can verify a product's authenticity at a glance.
The QR on Swiss invoices. We decode IBAN, creditor name and address, amount, currency, and reference, so you can open it in your banking app with full visibility into who's being paid.
Some QR formats should never run from a scan, javascript:, executable file URIs, and JavaScript-encoded data blobs. We hard-block these and tell you why. The action button is disabled by design.
Cashu ecash tokens are literally the money, anyone who photographs the QR can spend it. We flag this loudly. LNURL endpoints (Lightning sign-in, withdraw, pay) are decoded so you see where your wallet will connect before you tap.
When the QR is just plain text, we still check it for embedded URLs, leaked secrets (API keys, JWTs, SSH keys), AI-prompt-injection patterns aimed at downstream assistants, and look-alike unicode characters that disguise dangerous links.
"qr.abundera.ai/r/abc β walmart.com, clean β"
True at this exact moment. But the QR sticker on a parking meter routes through a shortener first. The account holder can change the destination at any time. Print a clean QR today, swap the target to a phishing page tomorrow, every subsequent scan of the same physical sticker lands on phishing. The URL scanner never told you that was possible.
"Goes through a shortener. The account owner can change the destination after print. Today it leads to walmart.com (clean)."
Two answers in one verdict. Now: is this safe today? Later: who can change it tomorrow? Both matter for a QR on a printed surface you can't un-print.
For credentials and identity documents, we identify the kind of QR you scanned, but we deliberately do not decode the personal information inside.
When you scan an authenticator-app export or setup code, we identify it and warn you about scanning it in the wrong place, but the actual secret seeds are never decoded by our server. They go to your authenticator app, not us.
Vaccine records and health certificates: we surface the issuer (which government / health authority) and what kind of record it is. Your name, date of birth, and medical history stay inside the credential, never echoed back through our scanner.
We show the flight info so you can verify the pass, but mask the booking reference behind a tap-to-reveal so a screenshot of our verdict isn't itself a way to access your booking.
WireGuard and SSH private keys in QR form are surfaced as masked fields you can tap to reveal on your device. They are not sent to any third party.
A few emerging QR formats we're tracking. We'll roll each one in as the standard stabilizes.
The EU's cross-border digital identity wallet (eIDAS 2.0) is rolling out 2024-2026. We already decode the closely-related mobile driver's license format; the EU wallet variant lands once member-state rollouts stabilize.
EU regulation requires every consumer product to carry a digital passport (sustainability, origin, repair info) by 2027. The format is already a GS1 Digital Link URL, which we decode today, the full passport surface gets richer as manufacturers publish their data.
The Bluetooth SIG is standardizing a QR format for mesh-network device commissioning (today's pairing QRs are vendor-specific). We'll add support when the spec ships.
QR Code, Aztec (mobile boarding passes), PDF417 (US driver licenses), Data Matrix (pharma + retail), Code 128/39/93, Codabar, EAN-13/8 (groceries), UPC-A/E (US retail), ITF (cartons), MaxiCode (UPS shipping labels), GS1 DataBar + DataBar Expanded (produce, coupons). Point the camera at any of these and we decode + classify the payload the same way as for QR.
We track every barcode format users might encounter. These are on our radar but unreachable in browser JavaScript today, either no production decoder exists, the standard is research-only, or the format is discontinued. Weβll ship support as soon as a viable path opens up (browser library, native app, or server-side decode).
Chinese national 2D symbology (GB/T 21049-2007). Used for industrial logistics and government documents. No production JavaScript decoder ships today, experimental support exists in zxing-cpp, which lands when we add the native Abundera QR Check app (planned).
Color 2D barcode standardized by the German BSI for anti-counterfeit packaging. The reference implementation is research-only C code; no JavaScript port exists. Watching for a maintained port to ship.
High-speed industrial printing format used by the tobacco and pharmaceutical sectors. No JavaScript decoder reads it reliably today, even with quality fixtures. On the radar for the native app stack.
PostNet, PLANET, Intelligent Mail (USPS), RM4SCC (Royal Mail), KIX (Dutch), Australia Post 4-State. Niche enough that no maintained JavaScript libraries exist. If a customer use case emerges weβll evaluate a native-app or server-side decoder.
Microsoft retired this color-barcode format in 2015 along with its scanner SDK. Not supportable, included here for completeness so anyone holding old marketing print material knows it wonβt scan.
Industrial niche 2D formats. No production JavaScript decoders. Each is rare enough in the wild that weβd only invest if a verified customer asked.