QR Payload Decoder

Upload a QR code to safely inspect its contents without executing any hidden scripts or automatically opening any links.

Drag & Drop QR Image Here

or click to browse your files

Decoded Payload

Unknown Type

Raw Extracted Data String:

Why is this safe?

Standard smartphone cameras often automatically open URLs or execute actions found in QR codes. This decoder extracts the raw text completely offline on your device and prints it to the screen without executing it, allowing you to inspect vCards, WiFi passwords, and raw links safely.

What Is a QR Code Payload Decoder and Why Do You Need One?

A QR code payload decoder is a tool that reads the raw data inside a QR code without opening it. By extracting the text, a decoder lets you safely check if the code contains a website URL, a Wi-Fi password (WIFI:S:...), a contact file (BEGIN:VCARD...), or an unsafe link before your phone automatically runs it.

When you scan a QR code with your phone's camera, the operating system tries to help. If it sees a URL, it opens your browser. If it sees a phone number, it prepares a call. While this automatic action is convenient, it creates a security risk. If a scammer has placed a sticker over a real restaurant menu or parking meter QR code (known as Quishing), your phone might direct you to a fake payment portal or a site designed to steal your passwords.

The Hidden Dangers of Automatic Scanning

When you use a standard scanning app, you let the software decide what happens next. Most users assume QR codes only contain links to websites. However, the ISO/IEC 18004 standard allows QR codes to encode any text or data. This means a QR code can contain hidden commands. For example, a code could trigger an SMS message to a premium-rate phone number, pre-filled with a message that you might accidentally send with one tap.

By using a payload decoder, you intercept the data. Instead of running the command, the decoder translates the barcode back into raw text. It prints the string on your screen so you can inspect it manually. Let's look at how raw data payloads differ from what you usually see.

Understanding Raw QR Code Data Formats

When a payload is decoded, it often looks like a string of computer code. Here is a breakdown of the most common standard data formats you will encounter when analyzing raw QR payloads:

  • vCard Contacts (Electronic Business Cards): When you decode a networking QR code, you won't immediately see a nicely formatted address book entry. Instead, you will see a raw string beginning with BEGIN:VCARD, followed by lines like FN:John Doe (Formatted Name), TEL;TYPE=CELL:+1234567890, and ending with END:VCARD. Inspecting this raw payload ensures no rogue URLs are hidden in the "Note" or "URL" fields of the contact card before you save it to your device.
  • Wi-Fi Network Credentials: Restaurants and cafes frequently offer QR codes to connect to their guest Wi-Fi. The raw payload for these codes looks like WIFI:S:GuestNetwork;T:WPA;P:SecretPassword123;;. A payload decoder allows you to extract this password for devices that lack built-in QR scanning capabilities (like an older laptop or a desktop PC), or simply to securely share the password with a friend without requiring them to install an app.
  • EPC (European Payments Council) Data: In Europe, QR codes are commonly used to facilitate instant banking transfers. When decoded, an EPC QR code reveals a highly structured string detailing the Service Tag, the Version, the Character Set, the BIC, the Beneficiary Name, the IBAN, the Amount, and the Remittance Information. Decoding this payload is crucial for double-checking the exact IBAN and recipient name before authorizing a large bank transfer.
  • App Store Links and Deep Links: Many marketing QR codes do not point to a standard web page but instead use deep linking protocols like twitter://user?screen_name=example or intent URLs. A decoder lets you see exactly which app the code is attempting to launch and with what parameters.

How to Safely Inspect a Suspicious QR Code in 3 Steps

If you encounter a suspicious QR code—like a sticker placed over a real sign—follow these steps instead of scanning it directly:

  1. Take a picture safely: Open your phone's camera app and snap a photo of the QR code. Don't hold the camera steady over the code for too long, as your phone might accidentally read it and open the link. Try taking the photo from a slight angle.
  2. Upload the image here: Navigate to this page. Use the drag-and-drop zone or the file browser button to upload the photo from your camera roll.
  3. Analyze the raw data: The scanner will find the QR code in the image and extract the text. Read the output. If the text says https://your-bank.com.login-verify.xyz/auth, it is a phishing attempt masking itself as a real banking portal.

Total Client-Side Privacy Guarantee

Our QR Code Payload Decoder is built entirely client-side. When you upload an image, the picture never leaves your device. It is not sent to our servers, and the decoded payload is never logged or tracked. All image processing happens locally in your web browser, keeping your sensitive data like Wi-Fi passwords and contact details completely private.

Frequently Asked Questions

A QR code payload is the raw data or text string encoded inside a QR code. While most people think a QR code just contains a website URL, it can actually store Wi-Fi passwords, contact details (vCard), calendar events, cryptocurrency addresses, and raw text.

Decoding a QR code instead of scanning it with your camera is important for security analysis and troubleshooting. If you scan a malicious QR code, your phone might automatically execute a command, like opening a dangerous website or trying to download software. Decoding the payload reveals exactly what data is inside without triggering any actions on your device.

Yes. Our payload decoder can extract the raw strings used to define Wi-Fi networks (e.g., WIFI:S:MyNetwork;T:WPA;P:MyPassword;;) and vCard contact information. This allows you to inspect the precise formatting to ensure your own generated QR codes meet the required standards.

Yes, our decoder reveals the raw EPC string, parsing the payment recipient, IBAN, BIC, and transaction amount encoded within standard European payment QR codes. This is highly useful for verifying banking details before executing a transaction.

No. The decoding process happens entirely client-side within your browser. The image you upload and the data it contains are never transmitted to, or stored on, any remote servers, guaranteeing total privacy.