What's actually inside a QR code
In 1994 a Toyota subsidiary needed a way to track auto parts on a fast-moving assembly line. Conventional barcodes held about 20 characters. The new design they shipped, by an engineer named Masahiro Hara, held thousands and could be read at any angle. Three decades later, every restaurant menu, payment terminal and Wi-Fi router has one. Here's what the squares actually contain.
The three squares are a coordinate system
Look at any QR code. There are three big square markers — top-left, top-right, bottom-left. They're called finder patterns, and their job is to let a camera snap orient the code regardless of rotation, perspective, or partial occlusion. The fourth corner is intentionally missing. Two finder patterns aren't enough — you'd get rotational ambiguity. Four would be redundant. Three is the minimum to triangulate "which way is up."
That's also why a QR code can be read upside down or sideways. The decoder finds the three squares, computes the perspective transformation that maps them to a regular grid, and then reads the data points in the corrected coordinate space.
The structure, layer by layer
Beyond the three finders, every QR code contains a small set of helper structures:
- Separators — one-module-wide white borders around each finder pattern, so the decoder can tell the finder from any data next to it.
- Timing patterns — alternating black/white lines between two of the finder patterns, used to calibrate where each module (the smallest black-or-white square) sits.
- Alignment patterns — extra small squares scattered through larger codes, used to correct distortion when the QR is printed on a curved surface or photographed at an angle.
- Format information — 15 bits encoding the error-correction level and the data mask. Stored twice for redundancy.
- Version information — for codes larger than version 6, an additional 18 bits encoding the version number.
- Data and error-correction codewords — the actual content, plus Reed-Solomon redundancy.
Versions: 1 through 40
QR codes come in 40 sizes. Version 1 is 21 modules square; version 40 is 177 modules square. Each version step adds 4 modules per side. The bigger the version, the more data fits — but also the harder it is to scan from far away or on a tiny phone screen.
| Version | Size (modules) | Numeric capacity | Byte capacity (UTF-8) |
|---|---|---|---|
| 1 | 21 × 21 | 41 | 17 |
| 5 | 37 × 37 | 255 | 106 |
| 10 | 57 × 57 | 652 | 271 |
| 20 | 97 × 97 | 2,061 | 858 |
| 40 | 177 × 177 | 7,089 | 2,953 |
(Capacities shown at error-correction level M, the most common.)
Modes: how data gets packed
The QR specification has four core encoding modes, picked for whatever fits the input most efficiently:
- Numeric — only digits 0–9. Most efficient. 3 digits in 10 bits.
- Alphanumeric — uppercase letters, digits, and 9 symbols. Two characters in 11 bits.
- Byte — arbitrary 8-bit data, usually UTF-8. The catch-all for URLs, lowercase, special characters.
- Kanji — Shift-JIS double-byte characters, optimised for Japanese.
A modern encoder picks the mode automatically. The QR code on a parking meter — "012345678" — uses numeric mode and fits in a tiny version 1 code. A URL with mixed case has to use byte mode, which costs more bits per character.
Error correction: why a torn QR still works
Every QR code includes Reed-Solomon error correction at one of four levels:
| Level | Recovery | Use |
|---|---|---|
| L | ~7% | clean printed surfaces |
| M | ~15% | most general use (default) |
| Q | ~25% | industrial / outdoor |
| H | ~30% | maximum protection — needed when designers put a logo in the middle |
That logo you see in the centre of branded QR codes — Spotify, Snapchat, payment apps — is intentionally damaging the code. The designer is trading away a quarter of the surface and counting on level-H redundancy to repair it. Same trick lets a slightly torn or smudged QR still read fine.
Special-format payloads
The squares only encode bytes — but apps interpret common prefixes specially. The three you'll meet most:
WIFI:T:WPA;S:NetworkName;P:thepassword;; — the printer leaves these on the bottom of every router. iOS and Android prompt to join the network when scanned. The password is in plain text inside the code.
BEGIN:VCARD\nVERSION:3.0\nFN:Jane Doe\nTEL:+1...\nEND:VCARD — scanning offers to add the contact. MeCard is a shorter, JIS-standard form invented for early Japanese phones.
You'll also encounter mailto:, tel:, sms:, and geo: prefixes, all interpreted by the OS the same way they would be in a hyperlink.
The 2023 sticker scam (and what to actually look for)
QR codes are dumb labels. They have no signature and no sender identity. In 2023 and 2024, multiple US cities reported "QR phishing" or "quishing" attacks — scammers printing fake QR stickers and slapping them over real ones on parking meters, restaurant tables, and EV chargers. The fake QR points to a lookalike payment page that captures card details.
The defence is mostly behavioural:
- Before scanning, look at the QR up close. Is it a sticker on top of something? Peel a corner. If there's a different code under it, walk away.
- Always preview the URL on your phone before tapping through. iOS and Android both show the destination first.
- For payments, use the merchant's app or NFC tap. Never enter card details on a page you reached via a parking-lot sticker.
Make one. Read one.
Foliokit can do both — generate any URL, Wi-Fi, or text payload as a downloadable PNG, or scan a QR code with your camera or a screenshot.