What's actually inside a boarding-pass barcode?

Per IATA Resolution 792, every boarding pass barcode encodes the passenger's full name (20 chars), the operating carrier's booking reference (PNR, 7 chars), departure airport (3 chars), arrival airport (3 chars), carrier code, flight number, Julian day of the flight, compartment class, seat number, check-in sequence number, and passenger status. Frequent-flyer numbers and additional itinerary segments are included in the conditional section.

Why is it risky to post my boarding pass online?

The combination of your full name plus the 7-character PNR is enough to log into the airline's 'Manage my booking' flow on most carriers. From there, an attacker can change your seat, redirect your frequent-flyer mileage, see your other upcoming trips, see your contact details, and build a targeted phishing email that name-drops your real itinerary. Several documented incidents involve passengers losing miles or having identity-theft attempts after posting boarding-pass photos to social media.

What symbology does my boarding pass use?

Most carriers worldwide use a 2-D QR or Aztec code. Some European carriers (Eurostar, SBB) use Aztec. A handful still issue PDF417 boarding passes. The content format is the same — IATA Resolution 792's fixed-width text — only the visual encoding differs.

Can my boarding pass be scanned by someone walking past me at the gate?

Yes. Phone cameras can decode the barcode from several feet away in good lighting. Anyone behind you in the boarding line who points their phone at your screen captures the same data the gate scanner reads. Cover the barcode with your hand or angle the screen toward your body until the gate agent is ready to scan it.

Standards · IATA Bar-Coded Boarding Pass

What's encoded in a boarding-pass barcode?

Almost everything an airline knows about your trip. The 2-D barcode (QR, Aztec, or PDF417) on your boarding pass carries your full name, your six- or seven-character booking reference, the carrier and flight number, route, departure date, seat, compartment class, check-in sequence, and any frequent-flyer number on file. Together, your name plus that booking reference is enough to log into the airline's website and access your booking — which is why a photo of a boarding pass posted publicly is a genuine security hazard.

Verify your boarding pass → All standards →

What's the format

The standard is IATA Resolution 792, maintained by the International Air Transport Association as part of the Passenger Services Conference Recommended Practices. It defines a fixed-width text encoding that fits inside a 2-D barcode and contains everything the gate agent's scanner needs to confirm your booking.

The container is symbology-flexible — most carriers use QR codes today, European high-speed-rail and SBB use Aztec, and a few legacy carriers still ship PDF417. The encoded TEXT is identical across all three; only the visual encoding differs. Our scanner reads all three symbologies and applies the same decoder to the resulting text.

The mandatory portion of every boarding pass is exactly 60 characters: a 2-character header (format code "M" + segment count) followed by 20 characters of passenger name, 1 character of electronic-ticket indicator, then 37 characters of segment data. Multi-segment connections add another 37 characters per segment. The conditional section (after the mandatory 60) typically carries the frequent-flyer number, fare basis, source of check-in (web / kiosk / agent), and any security data the carrier appended.

The full field layout

Header (2 chars)

Format code "M" + number of segments (1-4). A multi-segment ticket — e.g. SFO → JFK → LHR — has segment count 2 and carries two segment records back-to-back.

Passenger name (20 chars)

"LASTNAME/FIRSTNAME" left-justified, padded with spaces. Long names get truncated; the on-screen name printed on the pass is always the source of truth.

Electronic-ticket indicator (1 char)

"E" for an electronic ticket (every modern pass) or " " for a paper one (essentially never seen).

Per-segment (37 chars each)

PNR / record locator (7 chars) — the booking reference.
From / to airports (3 chars each) — IATA three-letter codes.
Carrier (3 chars, left-justified) — operating-airline IATA code.
Flight number (5 chars, zero-padded).
Date of flight (3 chars) — Julian day-of-year (e.g. "250" = day 250 = September 7).
Compartment (1 char) — Y / W / J / F / etc. (booking class).
Seat (4 chars, zero-padded).
Sequence number (5 chars, zero-padded) — your check-in order.
Passenger status (1 char) — 1=baggage required, 2=lounge access, 3=bypass security, F=boarded, G=gate-checked, etc.
Conditional length (2 hex chars) — bytes of conditional data after this segment.

Conditional section (variable)

After every segment, an optional run carrying the airline-specific extras: frequent-flyer number, fare basis code, baggage allowance, airline-specific security data, and a few less common fields. The frequent-flyer number is the most privacy-sensitive item here — it's a long-lived identifier tying every flight you've taken to a single account.

Security section (variable, optional)

Some carriers append a signature so the pass can be verified offline at the gate. Few enforce it. The presence of the signature does not change what's in the body.

Why posting a boarding-pass photo is risky

The combination of passenger name + PNR (the 7-character booking reference) is functionally a password on most airlines. "Manage my booking" lookups accept those two fields as identity proof. With them, an attacker can:

Change your seat assignment, or move you off the flight.
Cancel a free upgrade or move you off the upgrade waitlist.
See your contact details, including the phone number and email on the booking.
Redirect frequent-flyer mileage (some carriers, with extra steps).
See your other reservations on the same airline (some carriers).
Build a targeted phishing email — "Hi [your name], your United flight 123 SFO → JFK on Sep 7 has been rebooked, click here to confirm" — that name-drops real itinerary details. The recipient is far more likely to click than on a generic phishing email.

Several airlines have responded to past incidents by adding multi-factor identity proof to the manage-my-booking flow. Many haven't.

The mileage-redirect attack has been documented multiple times. Passengers who tweeted or Instagrammed a boarding-pass photo have lost upgrades, had bookings moved, and been targeted with itinerary-matched phishing within hours.

What our scanner surfaces, and how PNR is masked

Visible by default

Passenger name (first last), carrier + flight number (zero-stripped, e.g. "AA123"), route (SFO → JFK), date in ISO format (Julian day expanded with smart year-rollforward), seat (zero-stripped, e.g. "12A"), compartment class, sequence number, status (with human label — "Boarded", "Lounge access", etc.). Multi-segment passes get per-segment row labels.

Sensitive (tap-to-reveal)

The PNR is masked behind the same tap-to-reveal component we use for passwords and 2FA secrets. A screenshot of the verdict without tapping the reveal button doesn't leak the booking reference. Frequent-flyer number, when present in the conditional section, is not extracted at all by the server analyzer — it's a stable identity tying multiple trips together, and surfacing it on a verdict page would defeat the privacy posture.

Verifying your own boarding pass

Three legitimate reasons people scan their own:

Confirm the data is correct after a re-issue. Carriers occasionally typo a seat or flight number.
Sanity-check the upgrade or status the gate agent told you about — the passenger-status byte is the source of truth.
Recover a misplaced PNR when you no longer have the booking confirmation email but still have a screenshot of the pass.

The scanner runs in your browser; only the decoded text reaches our server (not the image). The verdict masks the PNR by default. If you screenshot the verdict for your records, the PNR stays masked unless you explicitly reveal it before the screenshot.

Try it on your boarding pass

Photograph the barcode (or use the camera on the scanner page) and drop it in. Verdict shows every segment of your itinerary with the PNR masked.

Open scanner →