Every QR standard we recognize, explained

EMVCo MPM / CPM 💳

The base standard for every merchant-presented QR payment globally. Tag-Length-Value framing carrying merchant name, city, country, currency, amount, recipient account info, and a CRC-16/CCITT-FALSE checksum.

We surface: merchant name, city, country, ISO 4217 currency (full table — 169 codes), MCC category, amount, dynamic vs static, tip indicator, additional-data subfields (reference label, bill number, customer label, terminal label, purpose).

Threat scoring: invalid CRC → suspicious (the QR has been altered or corrupted — the most reliable sticker-swap signal).

How to make one →

Pix (Brazil) 🇧🇷

Brazilian Central Bank's instant-payment scheme. World leader by transaction volume. Two flavors: static (a QR you can reuse) and dynamic (one-shot QR with an embedded transaction ID).

We surface: recipient Pix key (CPF / CNPJ / email / phone / EVP UUID), payment description, dynamic-QR URL when present.

How to make one →

UPI (India) 🇮🇳

India's Unified Payments Interface — the largest by user count. UPI Virtual Payment Address (VPA) routes payments between banks in real time.

We surface: payee VPA, payee name, amount, currency, transaction reference, MCC, transaction note.

How to make one →

Swiss QR-bill 🇨🇭

ISO 20022 SPC v2.2 — not EMVCo. Replaces the orange/red Swiss payment slip. 33 line-delimited fields covering creditor, ultimate creditor, ultimate debtor, reference type (QRR / SCOR / NON), bill information, and alternative procedures.

We surface: creditor IBAN, full creditor address, ultimate debtor, amount, currency, reference type pretty-printed, structured reference, unstructured message, eBill alt-procedure URL.

How to make one →

EPC Girocode (SEPA) 🇪🇺

European Payments Council credit-transfer QR. Used widely in Germany, Austria, Netherlands, and the Nordics for invoice payment.

We surface: beneficiary name, IBAN, BIC, amount, remittance information, purpose code.

How to make one →

ZATCA Fatoora (Saudi Arabia) 🇸🇦

Cryptographically signed invoicing — mandatory on every commercial transaction in the Kingdom. TLV-encoded with five required tags (seller, VAT number, timestamp, total, VAT amount) plus an ECDSA signature.

We surface: seller name, VAT registration number, ISO 8601 timestamp, invoice total, VAT amount.

How to make one →

SMART Health Cards 🩺

Numeric-encoded JWS wrapping a DEFLATE-compressed JSON payload with FHIR resources. Used by Apple Wallet, the Common Trust Network, US states, Canadian provinces, and several pharmacy chains for vaccine and lab records.

We surface: issuer URL, ISO timestamp of issuance, credential type (covid19 / immunization / lab / etc.), FHIR version, resource count + types.

We never decode: patient name, date of birth, vaccination/test dates, individual FHIR resource bodies. Test-gated in the analyzer suite.

EU Digital COVID Certificate (HC1) 🇪🇺

The HC1: prefix wraps a base45 → DEFLATE → COSE_Sign1 → CBOR → CWT chain ending in an EU-defined HCERT claim. Still used for non-COVID travel docs in some member states after the COVID emergency wound down.

We surface: issuer country (ISO 3166-1), issued-not-before timestamp, expiration timestamp, schema version, credential kind (vaccination / test / recovery), target disease (SNOMED-CT — "COVID-19" rendered, not the raw 840539006 code), country of vaccination/test, issuer organization, dose number / total, test type, test result.

We never decode: patient name, DOB, dose dates, unique certificate ID (UVCI). Test-gated.

AAMVA driver license 🪪

The PDF417 barcode on the back of every US and Canadian driver's license. Subfile-element format per AAMVA Card Design Standard appendix D.12.5.

We surface (~17 fields): first/middle/last name, ISO-formatted DOB, sex, height, eye color, license number (masked), license class, restrictions, endorsements, expiration, issue date, full address, country, organ donor flag, veteran flag, under-21-until threshold.

Sensitive by default: license number + DOB render as tap-to-reveal masked fields so a screenshot of the verdict isn't itself an identity leak. Privacy warning calls out that bars and clubs scanning IDs receive ALL of this data, not just the holder's age.

Full anatomy → · Generator reference →

Mobile Driver License (ISO 18013-5) 📱

The mdoc: QR your iOS / Android mobile driver license shows when handed to a verifier. CBOR DeviceEngagement with a cipher-suite selector, the holder's ephemeral public key, and the list of transfer methods the verifier can use to connect.

We surface: protocol version, cipher suite (P-256 ECDH-ES + A256KW is the mandatory one today), supported transfer methods (NFC / BLE / Wi-Fi Aware), server-retrieval host (when present).

We never decode: the holder's ephemeral public key bytes (surfaced as length only). The actual mDL attributes flow over the negotiated channel after the verifier connects — never through this scanner.

EU Digital ID Wallet (eIDAS 2.0) 🇪🇺

OpenID4VP and eudi-openid4vp schemes for cross-border identity presentation. Member-state rollouts ramping 2024-2026.

We surface: protocol family (openid4vp / eudi-openid4vp / mdoc-openid4vp / siopv2), client_id, response_uri hostname, request_uri hostname for signed-request flows, response_mode.

DID URIs 🔑

Decentralized Identifiers — did:web, did:key, did:ion, did:ebsi, and other methods.

We surface: DID method, method-specific identifier, service parameter, relative reference, verification fragment.

FIDO CTAP 2.2 hybrid 🗝️

The cross-device passkey QR your laptop shows when you sign in with a passkey on your phone. Base10-encoded CBOR map with the peer public key, QR secret, operation hint, tunnel-server domain, timestamp, and state-assistance flag.

We surface: operation (make-credential / get-assertion / discoverable), tunnel-server domain (e.g. cable.ua5v.com), ISO timestamp, supports state-assisted, peer-pubkey length, QR-secret length.

Hard warning: scanning this QR completes a sign-in someone STARTED ON ANOTHER DEVICE. If you didn't just initiate a passkey login yourself, refuse — you'd be signing whoever generated this QR into your account.

HOTP / TOTP (2FA setup) 🔐

RFC 4226 / RFC 6238 one-time-password setup QRs. The otpauth:// URI your bank or work app shows when enrolling an authenticator.

We surface: issuer, account, algorithm (SHA1 / SHA256 / SHA512), digits (6 / 8), period (TOTP) or counter (HOTP), issuer icon URL.

Sensitive by default: the Base32 secret renders as tap-to-reveal. We also Base32-validate the secret and warn loudly when it's malformed — authenticator apps accept malformed secrets silently and then generate codes that never verify.

TOTP → · HOTP →

Authenticator export (otpauth-migration) ⚠️

The Google Authenticator bulk-export QR. Carries every 2FA secret in the authenticator at once — a protobuf bundle with N OtpParameters entries.

We surface (per entry): issuer, account, type (HOTP / TOTP), algorithm, digits, counter, plus version / batch metadata. The disclosure enumerates "Grants in this bundle: ACME / alice@acme; GitHub / bob@github; …" so a user who IS mid-migration can audit before importing.

We never decode: the actual secret seed bytes. Verified by test with canary strings that must never appear in any verdict output.

Hard warning: threat class is likely_dangerous unless the user is LITERALLY mid-migration between their own devices.

Full anatomy + safety guide →

Sign-In with Ethereum (SIWE / EIP-4361) 🦊

The plain-text login message your wallet signs to prove control of a wallet address to a website.

We surface: site domain, wallet address, chain ID, nonce, expiration time.

Warning: read the site and statement carefully — a malicious site can use a signed SIWE message to impersonate you on that domain.

IATA boarding pass (Resolution 792) ✈️

The QR / Aztec / PDF417 on your airline boarding pass. Fixed-width header (60 chars) plus 37-char mandatory data per segment.

We surface (per segment): carrier code + flight number (zero-stripped), route (FROM → TO), date (Julian day → ISO with smart year roll-forward), seat, compartment class, sequence number, status (Boarded / Lounge access / Bypass security / etc.). Multi-segment passes get per-segment row prefixes.

Sensitive by default: PNR / booking reference renders as tap-to-reveal — your name plus PNR is enough to access the booking on most airline websites. Don't post boarding-pass photos publicly.

eSIM activation (GSMA SGP.22) 📲

The QR you scan to install a phone plan. Format: LPA:1$<SM-DP+>$<AC-Token>[$<SM-DP+ OID>][$<CC required>].

We surface: SM-DP+ FQDN (the carrier server that'll talk to your phone), activation code, confirmation-code-required flag.

Warning: an installed eSIM profile can intercept SMS — which includes SMS-based 2FA codes. Verify the SM-DP+ matches your real carrier (Airalo, Saily, Truphone, Google Fi, etc.) against an allowlist before installing.

How eSIM activation QRs work →

Matter onboarding 🏠

MT:-prefixed base38 packed-binary code from the Connectivity Standards Alliance. Cross-vendor smart-home pairing — works in Apple Home, Google Home, Amazon Alexa, Samsung SmartThings.

We surface: Vendor ID, Product ID, discriminator, 8-digit setup passcode (sensitive-masked), commissioning flow, discovery capability flags (Soft-AP / BLE / existing IP network), spec version.

Apple HomeKit (X-HM://) 🍎

Apple HAP accessory-setup URI. Predates Matter; still ships on many accessories that don't support Matter yet.

Wi-Fi Easy Connect (DPP) 📡

Wi-Fi Alliance Device Provisioning Protocol — the modern replacement for WPS. Used in 2025-era routers for QR-based device onboarding.

Bluetooth Auracast (BAU v1.0) 🎧

Bluetooth SIG's QR scheme for LE Audio broadcasts. Service UUID 184F identifies Auracast; we surface the broadcast name (base64-decoded) and encryption state.

Bitcoin (BIP-21) ₿

The standard Bitcoin payment URI. We surface address, amount (with BTC/sat unit), label, message, PayJoin endpoint (pj=), BIP-72 payment-request URL (r=), required (req-*) parameters, Lightning fallback.

Ethereum (EIP-681) ⟠

Ethereum payment request URI with chain selection. We decode recipient vs contract, chain ID with human label (Ethereum mainnet, Optimism, Polygon, Base, Arbitrum, BNB Chain, Gnosis, Avalanche, Sepolia), value (wei → ETH/Gwei pretty-print), function call name, ERC-20 transfer args.

Warning: a contract call is not the same as a simple send — wallet drainers depend on users not noticing the difference.

WalletConnect (ERC-1328) 🔗

The dApp↔wallet pairing URI. We surface version (v2 is current; v1 is deprecated and weaker), topic, relay protocol, session symmetric key (sensitive-masked).

Solana Pay ◎

Solana Foundation's transfer-request URI. We surface recipient, amount, SPL token mint, label, reference, message, memo.

Lightning Network (BOLT-12, LNURL) ⚡

BOLT-12 offers (lno1…) are reusable Lightning payment requests. LNURL (lnurl1…) bech32-encodes an HTTPS endpoint that your wallet calls to fetch an invoice, withdraw, channel-open, or auth.

Cashu ecash 🪙

Bearer ecash token. Distinct from every other crypto format because the QR literally IS the money — anyone who photographs it can spend it.

Sensitive by default: token string masked; verdict warns loudly that the QR carries unspent value.

Nostr (NIP-19) ⚡

Bech32-encoded Nostr identifiers. We recognize npub (public key), nsec (private key — hard-warned), note, nevent, nprofile, naddr, nrelay.

nsec sensitive: a Nostr private key in a QR means the holder's identity has been captured. We flag it as a credential leak.

GS1 Digital Link 📦

The standard that will replace 1-D barcodes for consumer products. Application Identifiers in the URL path encode GTIN, batch / lot, production / expiry date, serial, and more.

We surface: GTIN (01), batch / lot (10), production date (11), best-before (15), expiry (17), serial (21), and additional AIs as named fields.

How to make GS1 Digital Link →

EU Digital Product Passport 🌿

EU regulation requires every consumer product to carry a digital passport (sustainability, origin, repair info) starting 2027. Built on GS1 Digital Link URLs that resolve to per-product passport pages.

The QR itself is decoded today via our GS1 Digital Link analyzer; the passport content beyond the URL is published by each manufacturer.

WireGuard config 🔐

INI-format WireGuard VPN configuration. We surface interface address, DNS, listen port, peer endpoint, allowed IPs, persistent keepalive, additional-peer count.

Sensitive by default: interface private key and preshared key render as tap-to-reveal. Warning when allowed-IPs is 0.0.0.0/0 (full-tunnel — every byte of your traffic through someone else's server).

SSH public key 🔑

OpenSSH authorized_keys format (ssh-ed25519 / ssh-rsa / ssh-ecdsa). We surface algorithm, comment, and key length.

X.509 certificate / JWT 📜

PEM-armored X.509 certs and raw JWT compact serializations. We DER-walk the cert to extract Subject CN/O, Issuer CN, NotBefore/NotAfter, and public-key bit length. We flag expired certs.

JWT privacy: we surface alg + typ from the header but NEVER decode the JWT payload claims — they may contain account IDs, scopes, or other secrets that don't belong in scan results.

PGP key block 🔑

OpenPGP PUBLIC / PRIVATE KEY block. We surface format only — the key material is masked. PRIVATE KEY blocks get a loud "do not share this QR" warning.

QR Code (ISO/IEC 18004) ⬛

Model 1 (1994 original), Model 2 (the current global standard), Micro QR (small components), and rectangular Micro QR (rMQR, ISO/IEC 23941:2022 — narrow labels like test tubes).

Aztec Code (ISO/IEC 24778) ▣

The bullseye-finder symbology used on Eurostar, SBB, and many European transit boarding passes.

More on Aztec →

Data Matrix (ISO/IEC 16022) ⊞

Dense small-format symbology. Used by GS1 retail, DSCSA pharma, MIL-STD-130 defense, ATA Spec 2000 aviation, and ISBT 128 blood-products labeling.

More on Data Matrix →

PDF417 (ISO/IEC 15438) ═

Stacked linear symbology used on US/CA driver licenses (AAMVA), shipping labels, and FedEx airbills.

More on PDF417 →

1-D barcodes ▥

EAN-13, EAN-8, UPC-A, UPC-E, Code 128, Code 39, Code 93, Codabar, ITF — the linear barcodes you see at every grocery checkout and on every shipping label.