Authentication
QR Login
Generate QR code session for passwordless authentication
POST
QR Login System
The QR Login system allows users to authenticate on desktop/web by scanning a QR code with their mobile app. This is commonly used in custom shop plugin integrations.QR Login requires Shop API authentication (X-API-Key and X-API-Secret headers) and real-time WebSocket support via Ably.
Authentication Flow
Generate QR Login Session
Create a new QR login session that generates a scannable QR code.Endpoint
Authentication
API key from Partners Portal
API secret from Partners Portal
Request Body
Optional name for the device requesting loginExample:
"Shop Plugin - Checkout"Optional shop ID for multi-shop partners
Response
Indicates if session was created successfully
Generate Ably Token
Get a secure Ably JWT token to subscribe to real-time QR login events.Endpoint
Request Body
The session ID from the generate endpoint
Response
Ably JWT token for WebSocket connection
Unix timestamp when token expires
Ably channel name (automatically determined based on session type)
Type of session:
login or card_scanReal-time Integration (Ably)
After generating a session and obtaining an Ably token, subscribe to the WebSocket channel to receive login status updates in real-time.Channel Name
qr-login:550e8400-e29b-41d4-a716-446655440000
Events to Subscribe
| Event Name | Description |
|---|---|
qr_login_status | Login status changed (scanned, confirmed, expired) |
Ably Connection Example
Event Payload: qr_login_status
Status: scanned
Poll QR Login Status (Fallback)
Alternative to WebSockets: poll the session status periodically.Endpoint
Path Parameters
The QR login session ID
Response Statuses
| Status | Description |
|---|---|
pending | Waiting for user to scan QR code |
scanned | User scanned QR, waiting for confirmation |
confirmed | User confirmed login, tokens available |
expired | Session expired (after 5 minutes) |
Session Timeline
Error Codes
| Code | Description | HTTP Status |
|---|---|---|
AUTH_FORBIDDEN | Invalid or missing API credentials | 403 |
RESOURCE_NOT_FOUND | Shop not found or access denied | 404 |
QR_SESSION_NOT_FOUND | Session expired or invalid | 404 |
RESOURCE_EXPIRED | QR code has expired | 410 |
INTERNAL_ERROR | Server error | 500 |
Best Practices
Use WebSockets
Prefer Ably WebSockets over polling for real-time updates
Handle Expiration
Sessions expire after 5 minutes - show countdown to users
Secure Storage
Store received tokens securely after successful login
Fallback Polling
Implement polling as fallback if WebSockets fail