What does this QR really go to?
Point your camera, drop an image, or upload a PDF — we decode in your browser, flag homograph + punycode tricks, and surface a cache-hit verdict before you click. Every QR in the file is shown, and our 15-stage scanner takes it from there.
Drop an image or PDF, or
Snap a photo, screenshot the QR, or drop a PDF (every page scanned). We decode locally — your file never leaves your browser. If we find a link, we'll hand it to the URL scanner so you see what's on the other end.
From QR to verdict, in five steps.
The first three happen in your browser — the image never moves. We only call the URL scanner if you choose to.
- Camera, image, or PDFLive decode or upload
- Decode locally with jsQRBrowser-side, zero upload
- Classify every payloadURL · wifi · vCard · payment · multi-QR
- Cache hit + IDN checkPunycode-aware verdict pill
- Verdict before you visitAI + 70+ engines
Decode it, classify it, scan it.
Most QR scanners on the web upload your image to their servers and just open the link for you. We do neither. The decode runs in your browser, the URL goes nowhere until you choose, and the verdict comes from the same pipeline that powers our URL scanner.
Decoded in your browser
The QR image, the camera frame, the PDF — none of it leaves your device. We run jsQR (and pdf.js for PDFs) locally on a canvas. The only outbound request is when you choose to scan a decoded URL.
Camera, image, or PDF
Point your camera at a QR for instant decode (rear camera + torch on supported phones), drop a screenshot or photo, or upload a PDF — every page scanned for embedded quishing bait.
Cache-hit + IDN-aware
Decoded URLs are checked against our scan cache for an instant verdict pill. Punycode and mixed-script hosts (paypal.com vs раура1.com) are flagged before you can click handoff.
Multi-QR + non-URL warnings
Every QR in the file is surfaced — useful for sticker-bombed posters and PDF campaigns. Non-URL payloads (Wi-Fi, vCard, crypto wallet, premium-rate dial) get tailored risk warnings.
Four ways QRs are weaponised against you.
Sticker-over-QR in public
An attacker prints a malicious QR sticker and applies it over a legitimate one — parking meter, restaurant menu, charging station, EV charger. Tap, get redirected to a fake payment page, hand over your card.
QR in a phishing email
Email-perimeter filters scan links in <a> tags but rarely OCR images. Putting the URL inside a QR sidesteps the filter entirely. "Scan to view your shipping label" / "Scan to verify your account."
QR-swap on payment terminals
In countries where QR payment is the default (UPI, WeChat Pay, PIX), scammers swap the merchant's static QR for one that points at their wallet. The customer pays, the merchant never sees the money.
Fake Wi-Fi / event QR
A QR code labelled "Free Wi-Fi" connects you to an attacker-controlled access point. From there they can intercept anything you do on the network or push fake captive-portal logins.
Your image stays in your browser
We decode the QR using the open-source jsQR library on a <canvas> element inside the page. No upload happens — not when you drop the image, not when you paste a screenshot, not when we render the preview. The only outbound request is when you click Scan this URL, and at that point we send only the URL itself to the URL scanner.
Quick answers.
Does my QR image get uploaded?
What's quishing?
Can you decode a QR from a live camera?
Can I scan a PDF?
What if the image has multiple QR codes?
What about IDN homograph attacks?
What kinds of QR codes can it read?
What if the QR encodes Wi-Fi credentials, a phone number, or a contact card?
Why hand off to the URL scanner instead of just opening it?
Decode it before you tap it.
Free, anonymous, no account required. Decoded in your browser, scanned through the same 15-stage pipeline that powers our URL scanner. Don't hand your phone to a stranger's QR.
Scan a QR code