QR Code API

Appearance

Authentication

All API requests require authentication using an API key. This guide covers how to obtain and use your API key securely.

Getting Your API Key

  1. Visit qrcodeapi.io
  2. Select a plan (Free tier available)
  3. Create an account with your email
  4. Verify your email address
  5. Access your API key in the Dashboard

Authentication Methods

QR Code API supports three ways to authenticate requests:

1. Authorization Header (Recommended)

The most secure method—use the Authorization header with a Bearer token:

bash
curl "https://www.qrcodeapi.io/api/generate?data=hello" \
  -H "Authorization: Bearer YOUR_API_KEY"
javascript
fetch('https://www.qrcodeapi.io/api/generate?data=hello', {
  headers: {
    'Authorization': 'Bearer YOUR_API_KEY'
  }
});

2. X-API-Key Header

Alternative header format for systems that prefer custom headers:

bash
curl "https://www.qrcodeapi.io/api/generate?data=hello" \
  -H "X-API-Key: YOUR_API_KEY"
javascript
fetch('https://www.qrcodeapi.io/api/generate?data=hello', {
  headers: {
    'X-API-Key': 'YOUR_API_KEY'
  }
});

3. Query Parameter

For simple testing or when headers aren't available:

bash
curl "https://www.qrcodeapi.io/api/generate?data=hello&api_key=YOUR_API_KEY"

Security Warning

Avoid using the query parameter method in production. API keys in URLs can be logged in server logs, browser history, and analytics tools.

API Key Format

API keys follow this format:

qrapi_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  • Prefix: qrapi_live_ (or qrapi_test_ for test keys)
  • 32 random alphanumeric characters
  • Total length: ~44 characters

Security Best Practices

1. Never Expose Keys in Client-Side Code

javascript
// ❌ BAD - Key visible in browser
const API_KEY = 'qrapi_live_xxxxx';
fetch(`https://www.qrcodeapi.io/api/generate?api_key=${API_KEY}`);

// ✅ GOOD - Proxy through your backend
fetch('/api/generate-qr', { body: JSON.stringify({ data: 'hello' }) });

2. Use Environment Variables

bash
# .env file
QRCODE_API_KEY=qrapi_live_xxxxx
javascript
// Node.js
const apiKey = process.env.QRCODE_API_KEY;
python
# Python
import os
api_key = os.environ.get('QRCODE_API_KEY')

3. Restrict Key Permissions

In your Dashboard, you can:

  • Set allowed domains (CORS restriction)
  • Set IP allowlists
  • Limit request rates
  • Enable/disable specific endpoints

4. Rotate Keys Regularly

  1. Go to Dashboard → Settings
  2. Click "Regenerate API Key"
  3. Update your applications with the new key
  4. The old key is immediately invalidated

Handling Authentication Errors

401 Unauthorized

json
{
  "error": true,
  "message": "Invalid API key"
}

Causes:

  • Missing API key
  • Invalid or expired API key
  • Key doesn't match the expected format

Solutions:

  • Verify your API key in the Dashboard
  • Check for typos or extra whitespace
  • Ensure the key is being sent correctly

403 Forbidden

json
{
  "error": true,
  "message": "API key not authorized for this endpoint"
}

Causes:

  • Accessing a Pro feature on Free plan
  • IP or domain restriction triggered

Solutions:

  • Upgrade your plan if needed
  • Check IP/domain restrictions in Dashboard

Testing Your API Key

Verify your API key is working:

bash
curl -I "https://www.qrcodeapi.io/api/health" \
  -H "Authorization: Bearer YOUR_API_KEY"

Expected response:

HTTP/2 200
content-type: application/json