What is Matter and what's the QR for?

Matter is the cross-vendor smart-home standard from the Connectivity Standards Alliance (CSA, formerly Zigbee Alliance), with founding backing from Apple, Google, Amazon, Samsung, and a long list of device makers. A Matter device works with any Matter-capable hub regardless of brand: an iPhone in HomeKit, a Google Nest Hub, an Amazon Echo, a Samsung SmartThings hub. The QR on the back of the device (or in the box, or on the rating label) is the onboarding code. Your phone's smart-home app scans it and the device gets commissioned into your Matter fabric — assigned an operational credential, joined to your network, and made addressable by every other Matter controller you have.

What's encoded inside the QR?

A Matter onboarding QR uses the MT: URI scheme followed by a Base38-encoded payload. Decoded, the payload contains: version (3 bits), vendor ID (16 bits, CSA-assigned per manufacturer), product ID (16 bits, manufacturer-assigned per model), custom-flow indicator (2 bits), discovery capabilities (8 bits: BLE / IP / soft AP / Wi-Fi PAF), discriminator (12 bits, used during discovery to disambiguate multiple unpaired devices), and a 27-bit passcode (the secret used in the PASE — Password-Authenticated Session Establishment — handshake). Optional TLV fields can extend the payload with serial numbers and rendezvous information.

Is it dangerous if someone photographs my Matter QR?

It depends on whether the device is already commissioned. Before commissioning: yes, somewhat. Whoever has the QR plus physical proximity (BLE range, or on the same Wi-Fi/Thread network) can commission the device into THEIR Matter fabric, locking you out until you factory-reset it. After commissioning: no. The QR's passcode is only used during the initial PASE handshake; once the device is paired, it's burned and the device only accepts operational credentials issued by your fabric. So the safe practice is: peel off and store the QR sticker before letting strangers (movers, repair people, AirBnB guests) into the home, or commission the device IMMEDIATELY when it's unboxed so the window is short.

How is a Matter QR different from a Wi-Fi QR?

Different layer, different purpose. A Wi-Fi QR (WIFI: scheme) tells your phone to join a specific Wi-Fi network — SSID, security type, password. A Matter QR (MT: scheme) tells your smart-home app to add a specific device to your home — vendor, model, discriminator, pairing passcode. The Matter device will then independently join Wi-Fi or Thread using credentials your hub passes to it during commissioning. They serve different layers of the same setup flow.

What about Thread Border Routers and Matter-over-Thread devices?

Many Matter devices (door locks, contact sensors, motion sensors, low-power bulbs) use Thread as their network instead of Wi-Fi. Thread is a low-power mesh radio. The Matter onboarding QR is the same regardless — vendor / product / discriminator / passcode. The commissioning hub (your Apple TV, Google Hub, Echo Hub) acts as a Thread Border Router, joining the device to your Thread network and exposing it on your Matter fabric so it's addressable from any controller in the home.

Standards · Matter device commissioning

Matter device commissioning QR codes

When you scan the QR on the back of a smart light bulb, smart plug, contact sensor, or door lock that carries the Matter logo, your phone runs through a five-step handshake that adds the device to your home. The QR carries everything your hub needs to find that specific device — vendor, model, a per-device discriminator, and a one-time pairing passcode — plus a list of how the device can be reached on the air (BLE, Wi-Fi, Thread). Here's what's encoded, what it leaks, and why the QR matters in a way Wi-Fi QRs don't.

Inspect a Matter QR → All standards →

What's the standard

Matter is published by the Connectivity Standards Alliance (CSA), formerly the Zigbee Alliance, with founding backing from Apple, Google, Amazon, Samsung, Comcast, and a long list of device makers. Matter 1.0 shipped in October 2022; Matter 1.4 is current as of early 2026, with cameras, energy management, EV chargers, and water-management devices added since 1.0. The specification covers application-layer protocol, security, commissioning, and the QR onboarding format.

The pairing-QR format is part of the Matter Core Specification, "Onboarding Payload" section. There are three forms of the same payload:

QR code with prefix MT: followed by a Base38-encoded blob. This is what most apps prefer because it's faster.
Manual pairing code, an 11-digit numeric string for cases where the QR is damaged or the device is too small for a QR. You can type it in.
NFC tag carrying the same Base38 payload. Less common on consumer devices but increasingly used on smart locks where tap-to-pair is more ergonomic.

All three encode the same fields with the same trust model — they're interchangeable from a commissioning perspective.

What's actually inside the QR

The Base38 payload after the MT: prefix decodes to a packed binary structure. The mandatory fields:

Version (3 bits)

Always 0 for current devices. Reserved for future protocol revisions.

Vendor ID (16 bits)

CSA-assigned identifier for the manufacturer. Every member organization gets a unique vendor ID; 0xFFF1–0xFFF4 are reserved for test / development. Our scanner resolves the vendor ID against the CSA registry where known.

Product ID (16 bits)

Manufacturer-assigned identifier for the specific model. Combined with the vendor ID, it uniquely identifies a SKU (e.g. "Eve Energy 2nd gen").

Custom flow (2 bits)

0 = standard commissioning (just pair it), 1 = user-action required (e.g. press a button on the device first), 2 = custom flow (manufacturer-specific setup steps). Determines what UI your hub app shows.

Discovery capabilities (8 bits)

A bitmask of how the device can be discovered in its uncommissioned state: BLE (most common), on-network IP (already on your Wi-Fi or Ethernet — rare for consumer kit), Soft-AP (device hosts a temporary Wi-Fi network), Wi-Fi PAF (Public Action Frame discovery, newer).

Discriminator (12 bits)

A short identifier the device advertises during discovery so your hub can pick the right uncommissioned device when several are in BLE range. Not secret — it's the "this is the one I just unboxed" signal.

Passcode (27 bits)

The shared secret used in the PASE handshake. The phone proves to the device that it has this passcode without sending it over the air in plaintext. Once commissioning completes, the passcode is no longer useful. Range: 1 to 99,999,998 (some values forbidden by spec to avoid trivially-guessable codes like 11111111).

TLV extension (optional, variable)

Optional fields can extend the payload with the device serial number, rendezvous info, and other manufacturer-specified attributes. Most consumer devices skip this.

The commissioning handshake (why the passcode design matters)

Matter's commissioning flow is PASE → CASE:

Discovery. Your phone broadcasts BLE scans (or listens on local Wi-Fi); the uncommissioned device is advertising with its discriminator. Your phone matches the discriminator from the QR.
PASE — Password-Authenticated Session Establishment. Phone and device run a SPAKE2+ handshake using the 27-bit passcode. After SPAKE2+ completes, both sides have a shared session key, and the passcode itself never crossed the air.
Attestation. The device presents a Device Attestation Certificate (DAC) signed by a CSA-recognized root. Your hub verifies the device is a genuine certified Matter device with the claimed vendor/product ID.
Network credentials. Your hub passes the device the operational network credentials (Wi-Fi password OR Thread network credentials) needed to actually communicate.
CASE — Certificate-Authenticated Session Establishment. Your fabric issues the device an operational certificate. From here on, every controller in the fabric authenticates to the device via CASE; the QR passcode is dead.

The key property: the QR passcode is short-lived authentication, not long-term identity. Once a device is commissioned, throw the QR sticker in a drawer (or peel and shred). Re-commissioning requires either physical access to factory-reset the device, OR cooperation from the existing fabric to issue an updated commissioning window.

Threat model: photographing an unpaired device's QR

Unique to Matter — the QR is operationally meaningful BEFORE commissioning. Compare to other categories:

A Wi-Fi QR leaks a password but joining the network is a "weak" action — attacker needs to physically be in range.
A boarding-pass QR leaks a booking reference but the attacker needs the passenger's last name and a separate channel.
A Matter QR + physical proximity (BLE / same Wi-Fi) = full commissioning. The attacker can claim the device into THEIR fabric, locking you out until you factory-reset. For a smart lock, that's a serious incident.

Real-world scenarios where this matters:

Movers, repair workers, AirBnB guests with line-of-sight to unboxed-but-unpaired devices.
Returns / refurbished sales where a device is shipped back to the manufacturer or to a marketplace buyer with the QR sticker intact and the device not factory-reset.
Photos of new device boxes posted on social media (the "just got my Matter lock!" post with the QR visible).
Public installations (commercial smart lighting, hotel rooms) where the QR is bonded to the fixture and reachable by anyone with BLE.

Defense: commission the device as soon as you unbox it (closes the window), then peel and shred the sticker. For devices already deployed in shared / public spaces, ensure the device is commissioned to a fabric, which prevents fresh pairing without a factory reset.

What our scanner shows you

Drop a Matter QR (image, paste, or camera) into our scanner. The verdict shows:

Version — currently always 0.
Vendor ID — and the resolved manufacturer name where it's a known CSA-registered vendor.
Product ID — and the device-class hint if we can resolve it.
Custom flow — standard / user-action / custom.
Discovery capabilities — which radios the device is willing to use for discovery.
Discriminator — the discovery identifier (not secret).
Passcode — masked by default (tap-to-reveal sensitive field). Useful for typing the manual pairing code if your QR isn't readable, dangerous if the QR isn't yours.

We do NOT phone home to your hub or attempt commissioning. The decode is local; only the metadata reaches our server for the safety classification.

Before you commission an unfamiliar Matter device

Do you know who shipped this device? If you bought it secondhand or it was already installed when you moved in, factory-reset it before commissioning. The previous owner's fabric may still hold credentials.
Does the vendor ID match the brand on the box? Counterfeit Matter devices use test vendor IDs (0xFFF1–0xFFF4) because real CSA membership costs money. Our scanner flags test vendor IDs.
Is the custom-flow flag what you expected? A device that demands a custom flow (flag = 2) when the box says "scan to pair" is anomalous.
Are you commissioning in a trusted location? BLE-range neighbours can race to claim an uncommissioned device. Commission at home, not at a coffee shop, ideally with Wi-Fi off and only BLE active so the discovery is unambiguous.
After commissioning, peel and store the sticker. The passcode is dead, but the discriminator + vendor + product info is enough for an attacker to enumerate devices in the home.

Inspect a Matter onboarding QR

Drop the QR (image, paste, or camera). Verdict shows vendor, product, discriminator, capabilities, and a masked passcode. We don't talk to your hub or attempt to commission — the decode is local and the metadata is the only thing that reaches the safety classifier.

Open scanner →