What Is a QR Code? A Plain-English Guide to How They Work
What is a QR code? A clear guide to how QR codes work, their anatomy, error correction, types, and the quishing security risks you should know in 2026.
You point your phone's camera at a little square of black-and-white pixels on a restaurant table, a parking meter, or a poster, and a second later a website opens. Most of us do this several times a week without ever wondering what that square actually is, how it manages to survive being scratched or printed badly, or whether following it is safe. This guide answers all three questions in plain English.
A QR code (short for "quick-response code") is a two-dimensional matrix barcode — a square grid of black and white squares called "modules" that a camera can read. It stores data such as URLs, text, or contact details, holding far more information than a traditional one-dimensional barcode. That's the short answer. The rest of this article explains how it works, why a damaged code still scans, the types you'll meet, and the real security risks worth knowing about in 2026.
Why bother understanding it? Because QR codes are now woven into everyday life — menus, payments, parking, packaging, posters — and that ubiquity is exactly why both their workings and their risks are worth ten minutes of genuine understanding.
QR code definition: what does "QR" actually mean?
"QR" stands for quick response. The name reflects the design goal: a code that scanners could read fast, from any angle, even when partially obscured. Technically, it's a 2D matrix barcode — "2D" because, unlike the striped barcode on a cereal box, it encodes data along both the horizontal and vertical axes at once.
The QR code was invented in 1994 by Masahiro Hara and his team at Denso Wave, a Japanese subsidiary of the Denso automotive group, as documented on Wikipedia. The problem they were solving was industrial: Toyota's "kanban" just-in-time manufacturing needed to track car parts on the assembly line, and ordinary 1D barcodes couldn't hold enough data — nor could they encode Japanese Kanji and Kana characters. Denso Wave's own history page tells the story: they needed a code that stored more information and could be read quickly even at speed on a factory line.
Two decisions made the QR code a global standard rather than a niche factory tool. First, it became an international standard — ISO/IEC 18004, whose current edition dates from 2024. Second, and crucially, Denso Wave kept the patent but chose not to enforce it. As the company explains on its history page, it declared it would not exercise its patent rights, effectively making the format free for anyone to generate and use. That openness is the single biggest reason QR codes are everywhere today.
QR code vs barcode: why 2D beats 1D
The barcodes you see at checkout are one-dimensional: a series of parallel stripes of varying width, read by a laser sweeping across them in a single direction. They're reliable but limited — a typical retail barcode encodes only around 20 to 25 characters, just enough for a product number.
A QR code reads in two directions, which multiplies its capacity dramatically. At its largest configuration, a single QR code can hold up to 7,089 numeric characters, 4,296 alphanumeric characters, 2,953 bytes, or 1,817 Kanji characters, per the figures detailed on Wikipedia. That's the difference between storing a product ID and storing a full URL with tracking parameters, a Wi-Fi password, or an entire contact card.
The other advantage is resilience. A 1D barcode has no meaningful way to recover from damage — smudge a few stripes and it fails. A QR code has built-in error correction (more on that shortly), which is why one can keep working with a coffee stain across it or a company logo planted in the middle.
How do QR codes work? The anatomy of the matrix
A QR code looks like random noise, but almost every part of it has a job. Understanding the anatomy is the clearest way to grasp how scanning works.
Modules and the grid
Each black or white square is a module, and modules are arranged on a fixed grid. QR codes come in 40 versions, from version 1 at 21×21 modules up to version 40 at 177×177 modules. The grid size follows a simple formula: side length = 4 × version + 17 modules, as set out on Wikipedia. The more data you encode, the higher the version, and the denser the grid.
Finder patterns
Look at any QR code and you'll see three large nested squares in three of its corners. These are the finder patterns. They're the first thing a scanner hunts for: by locating three of them, the camera instantly knows where the code is, how big it is, and which way up it sits — so you don't have to align your phone perfectly.
Alignment patterns
Larger codes (roughly version 2 and up) add smaller nested squares called alignment patterns. They help the scanner correct for distortion — a code printed on a curved bottle, photographed at an angle, or stretched slightly — by giving extra reference points across the grid. The structural roles of these patterns are described in Scanova's breakdown of QR structure.
Timing patterns
Running between the finder patterns are two lines of alternating black and white modules: the timing patterns. They act like a ruler, telling the decoder exactly where each row and column of the grid begins, so it can map every module to the right coordinate even at different sizes.
The quiet zone
Around the whole code sits a blank margin called the quiet zone — conventionally at least four modules wide. It isolates the code from surrounding text or graphics so the scanner can tell where the matrix starts and stops. Crop it too tight and a code that looks fine to you may stubbornly refuse to scan.
Data and error-correction regions
Everything that isn't a function pattern is filled with the actual payload: your URL or text, plus a generous helping of error-correction data woven in alongside it. There's also a "format information" strip near the finder patterns that records which error-correction level and masking pattern were used, so the decoder knows how to read the rest.
The scan flow, step by step
Put it together and a scan happens roughly like this:
- Detect — the camera locates the three finder patterns and establishes orientation and size.
- Map the grid — using the timing and alignment patterns, it works out the coordinate of every module.
- Read — it converts black/white modules into a stream of bits.
- Correct and decode — Reed-Solomon error correction repairs any unreadable bits, then the bits are decoded into text.
- Act — if the decoded text is a URL, your phone offers to open it; if it's Wi-Fi credentials, it offers to connect, and so on.
Error correction: why a damaged QR code still scans
The most impressive trick a QR code performs is surviving damage. This comes from Reed-Solomon error correction, the same family of math used on CDs and in deep-space transmission. In simple terms, the encoder treats your data as the coefficients of a polynomial and adds redundant "check" values; the decoder can then reconstruct missing or corrupted pieces from what remains. The technique — including how data is interleaved so that localized damage spreads thinly rather than wiping out one whole chunk — is explained in Scanova's structure guide and the Wikipedia entry.
When you generate a code, you (or your tool) pick one of four error-correction levels. Higher levels add more redundancy — making the code more robust but slightly denser:
| Level | Recovery capacity | Best for |
|---|---|---|
| L (Low) | ~7% of code recoverable | Clean digital displays, large print, max data density |
| M (Medium) | ~15% recoverable | General-purpose default |
| Q (Quartile) | ~25% recoverable | Industrial or outdoor use with some wear |
| H (High) | ~30% recoverable | Codes with a logo, or harsh/dirty environments |
These percentages are documented in FileFusion's anatomy article and the QR code standard summary on Wikipedia. Level H is the reason brands can drop a logo into the dead center of a code: the logo destroys a chunk of modules, but as long as the loss stays under roughly 30%, the error correction fills in the gaps. (One practical caveat — the more of the code you cover, the less margin you have for real-world wear, so designers shouldn't push a logo to the absolute limit.)
Static vs dynamic QR codes (and the types you'll meet)
Beyond versions and error levels, the most important practical distinction is static vs dynamic.
Static QR codes
In a static code, the destination is baked directly into the matrix. Encode https://example.com and that exact URL is permanently fixed in the pixels. Static codes are free, work forever, and don't depend on any third-party service staying online — but you can't edit the destination after printing, and you get no scan tracking. They're perfect for permanent, unchanging information: a Wi-Fi password on a sign, a link engraved on a product.
Dynamic QR codes
A dynamic code encodes a short redirect URL instead of the final destination. When scanned, it points to an intermediary link that forwards the user onward — which means you can change where it goes without reprinting the code, and you can measure scans (how many, when, roughly where, on what device). The trade-off is a dependency: if the redirect service shuts down or the link expires, the code breaks. The static-vs-dynamic distinction is laid out clearly by The QR Code Generator. Dynamic codes have become the default for marketing: industry data from Wave's statistics roundup puts dynamic codes at roughly 64.9% of the market in 2025.
Common content types
Whether static or dynamic, a QR code can carry many kinds of data. The usual menu includes:
- URL — by far the most common; opens a web page.
- Wi-Fi — network name and password, so a guest connects with one scan.
- vCard — a digital business card (name, phone, email, company).
- Email / SMS / phone — pre-fills a message or dials a number.
- Geo-location — map coordinates.
- Payment — widely used for mobile payments, especially in Asia.
- Plain text — any short string.
Are QR codes safe? Quishing in 2026
Here's the part most vendor explainers skip, so we'll be blunt about it. A QR code itself is inert — it's just encoded data, it can't "infect" your phone. The risk is entirely in where it sends you. Because the destination is hidden inside the pixels, you can't see it until you scan, and attackers exploit exactly that blind spot. This kind of attack — phishing delivered via QR codes — has its own name: quishing.
The numbers are sobering. According to Keepnet Labs, QR codes featured in roughly 12% of all phishing attacks in 2025, and about 73% of people scan QR codes without checking the destination URL first. Security researchers have flagged that quishing surged through 2025 precisely because QR codes embedded in emails slip past text-based spam filters — the malicious link is an image, not clickable text — a trend covered by GBHackers and Acronis. The harm is real and measurable: the UK's Action Fraud recorded 784 quishing reports and almost £3.5 million lost between April 2024 and April 2025.
Common real-world tactics include sticking a fake QR sticker over a legitimate one (parking meters and restaurant tables are favorites), posting fake "scan to pay" or "scan to view menu" codes, and embedding codes in phishing emails that pretend to be a password-reset or document-share prompt.
Six rules to scan safely
- Preview the URL before opening it. Modern phone cameras show the destination as a banner — read it before tapping.
- Check the domain and look for HTTPS. Watch for misspellings and lookalike domains (
arnazon.com,paypa1.com). - Match the action to the context. A menu code that suddenly asks you to log in or enter card details is a red flag.
- Beware urgency. "Pay now or lose your spot" is a pressure tactic, not a feature.
- Inspect the physical code for tampering. A sticker over an existing code, or a code that doesn't match the surrounding branding, is suspicious.
- Use your built-in camera, not a downloaded "scanner app." Third-party scanner apps are a known malware vector and rarely add anything your camera doesn't already do.
These practices line up with guidance from Uniqode and Duke University's IT security team. If you publish QR codes yourself, the same logic applies in reverse — pointing your code at a link you control and can protect matters. Our own write-up on link password protection covers how to add a gate in front of a destination.
How to make a QR code (and when "free" has strings attached)
Generating a basic static URL code takes seconds in any reputable tool: paste a link, download the image, done. The honest catch is what "free" usually means. A free QR is almost always a static code — perfectly fine for permanent information, but you can't edit the destination later or see how many people scanned it. Free dynamic tiers, where editing and tracking live, tend to be tightly capped. For example, Bitly's free plan has historically allowed only a couple of editable QR codes per month, and QR Tiger's free tier caps dynamic codes at a few hundred scans before they stop working. (Pricing pages change often — Bitly's QR product was rebranded in 2026 — so verify the current limits before committing.) If you want to weigh the options properly, our comparison of free QR code generators breaks down ten tools and where each one's "free" actually ends.
Where does Minily fit, honestly? Minily is an EU-based URL shortener and QR generator. You can create unlimited QR codes on every plan, including the free one, from the QR generator. The useful pattern is to point a QR code at a Minily short link — because that short link carries click analytics (total clicks, top countries, and your most recent clicks on the free plan), you effectively get scan tracking and the ability to change where a printed code leads, without a dedicated "dynamic QR" product.
Be clear about the limits, though: the free plan allows 5 short links (QR generation itself is unlimited), and Minily has no public API, no white-label, and no predictive AI. If you need full per-scan analytics, custom branded domains, or city/device/OS breakdowns, those live on the Pro plan. Minily's edge isn't being the biggest — it's being EU-hosted, GDPR-friendly (analytics exports are aggregate, not personal), and straightforward about what it does and doesn't do. For some teams that's the right fit; for others, a dedicated dynamic-QR platform with a public API will be better. Pick on the criteria that matter to you.
Frequently Asked Questions
What does QR stand for?
QR stands for "quick response." The format was named for its ability to be read quickly from any angle, even when partly damaged, per Denso Wave's specification documented on Wikipedia.
Who invented the QR code and when?
It was invented in 1994 by Masahiro Hara and his team at Denso Wave in Japan, originally to track automotive parts on Toyota's production lines, as recounted on Denso Wave's history page.
How much data can a QR code hold?
At its maximum size (version 40, lowest error correction), a QR code can store up to 7,089 numeric characters, 4,296 alphanumeric characters, 2,953 bytes, or 1,817 Kanji characters, according to Wikipedia.
Are QR codes safe to scan?
The code itself is inert — the risk is the destination it sends you to. QR-based phishing ("quishing") made up roughly 12% of phishing attacks in 2025 per Keepnet Labs. Always preview the URL before tapping, and treat unexpected login or payment prompts with suspicion.
Why does a QR code still work when it's scratched or has a logo?
Because of Reed-Solomon error correction. Depending on the level chosen, a QR code can recover from up to roughly 30% damage (level H), which is why a logo can sit in the middle without breaking the scan. The recovery levels are documented by FileFusion.
What's the difference between a static and a dynamic QR code?
A static code has the final destination baked permanently into the pixels — it can't be edited or tracked. A dynamic code encodes a redirect link you can change and measure after printing. See this comparison for details.
Are QR codes free to use?
Yes — the format is free because Denso Wave never enforced its patent, as stated on its history page. "Free generators," however, often cap dynamic codes or scan counts, so read the fine print on any tool's free tier.
Do I need an app to scan a QR code?
No. Modern iOS and Android camera apps scan QR codes natively — just open the camera and point. Security guides such as Duke University's actually recommend against downloading third-party scanner apps, since they add unnecessary malware risk.
The bottom line
A QR code is a two-dimensional grid of modules that encodes data a camera can read in an instant. Its finder, timing, and alignment patterns let a scanner orient itself, and Reed-Solomon error correction lets it shrug off damage of up to roughly 30%. The big practical choice is static (permanent, untrackable) versus dynamic (editable, trackable). And the one thing worth remembering above all: the code is harmless, but the destination may not be — so preview the URL before you tap.
If you want to create a QR code that points at a link you control and can monitor, you can do that in seconds with the QR generator or read more about how Minily handles QR codes. Whatever tool you choose, you now understand what's actually happening inside that little square.