A QR code decoder reads the data hidden inside a Quick Response code — a URL, a Wi-Fi login, a contact card, or plain text. This tool does it without a camera and without uploading anything: drop an image of a QR code and it is decoded right in your browser.
How it works
QR decoding is a small computer-vision pipeline:
- Load and grayscale. The image is drawn onto an HTML canvas and each pixel reduced to a single brightness value.
- Binarise. Otsu’s method picks the brightness threshold that best separates dark modules from light ones, turning the image into pure black and white.
- Find the code. The three large corner squares — the finder patterns — are located by their characteristic
1:1:3:1:1run of dark and light, which fixes the grid’s position and module size. - Sample the grid. Each module’s centre is read as a single bit, reconstructing the matrix.
- Unmask and read. The format bits reveal which of the eight data masks was applied; reversing it and walking the modules in QR’s zig-zag order yields the bitstream, which is parsed into numeric, alphanumeric, or byte (UTF-8) characters.
What payload types are decoded
The decoder reads the raw text content of any QR code, then labels it by recognised format:
| Prefix / pattern | Type label | Example content |
|---|---|---|
http:// or https:// | URL | https://example.com/page |
WIFI:T:WPA;S:... | Wi-Fi network | SSID, security type, password |
BEGIN:VCARD | Contact card (vCard) | Name, phone, email |
mailto: | Email address | mailto:[email protected] |
tel: | Phone number | tel:+447700900000 |
geo: | Geographic coordinates | geo:51.5074,-0.1278 |
| Anything else | Plain text | A password, a serial number, etc. |
Knowing the type at a glance lets you decide what to do before acting on it.
QR codes as a security surface
QR codes are opaque by design — the human eye cannot read the encoded content, which makes them a natural vehicle for phishing. Common attack patterns:
- Shortened URLs pointing to malicious sites that look legitimate before the redirect
- Homograph domains where a Unicode character in the URL resembles a familiar brand name
- Wi-Fi credential harvesting via fake “free Wi-Fi” QR codes in public places
- Vishing via vCard — a QR-encoded contact that adds a fraudulent number to a phone book
Using the decoder before scanning lets you verify a QR code’s destination on a computer, where you can read the full URL and recognise suspicious domains, rather than tapping it directly on a phone.
Tips for reliable decoding
- A screenshot of an on-screen QR gives the cleanest read — no camera angle, blur, or glare.
- For printed codes, a straight-on, high-contrast photograph works well; extreme angles and low resolution are the most common failure causes.
- Very dense QR codes (large version numbers, many characters) may decode slowly or fail if the image resolution is low — use the highest resolution image you can.
- The decoder reports an honest failure rather than returning a garbled guess if it cannot find or parse the code.
- Your image is never uploaded — everything happens in your browser.