PowQR Developer API

Integrate PowQR into your workflow to generate thousands of dynamic, anti-screenshot tickets or marketing campaigns programmatically.

Authentication

The PowQR API uses two forms of authentication depending on the endpoint:

  • Session Cookies: Used for standard dashboard actions (managing campaigns, templates, analytics) through the web client.
  • API Keys (Bearer Token): Used for high-volume B2B operations like bulk generation. Include the key in your HTTP header: Authorization: Bearer YOUR_API_KEY

Bulk QR Generation

Generate up to 1,000 QR codes in a single request. Perfect for ticketing platforms generating unique codes per attendee.

POST /api/v1/qrs/bulk

Request Body

{
  "urls": ["https://my-event.com/ticket/1", "https://my-event.com/ticket/2"],
  "qr_type": "morphing", // 'static', 'dynamic', or 'morphing'
  "design_config": {
    "shapes": "liquid",
    "eyes": "circle",
    "color": "#d946ef",
    ...
  }
}

Examples

Node.js (Fetch)
const response = await fetch('https://api.powqr.com/api/v1/qrs/bulk', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Authorization': 'Bearer YOUR_API_KEY'
  },
  body: JSON.stringify({
    urls: ['https://example.com/ticket/1'],
    qr_type: 'morphing',
    design_config: {}
  })
});

const data = await response.json();
console.log(data);
Python (Requests)
import requests

url = "https://api.powqr.com/api/v1/qrs/bulk"
headers = {
    "Authorization": "Bearer YOUR_API_KEY",
    "Content-Type": "application/json"
}
data = {
    "urls": ["https://example.com/ticket/1"],
    "qr_type": "morphing",
    "design_config": {}
}

response = requests.post(url, json=data, headers=headers)
print(response.json())

Cryptographic Morphing

If you generate morphing QR codes, the resulting SVG endpoint requires a signed timestamp. The image renders with a 30-second Time-To-Live (TTL). If the signature is missing, invalid, or expired, the API will return a red "EXPIRED" SVG instead of the QR code.

GET /api/render/:short_code.svg?t=TIMESTAMP&sig=HASH

You must generate the signature on your server (where your secret_key is secure) right before rendering the QR on the client's screen.

Signature Generation Examples

Node.js
const crypto = require('crypto');

const secret_key = 'YOUR_SECRET_KEY';
const short_code = 'xyz123';

// 1. Get current time in milliseconds
const t = Date.now().toString();

// 2. Hash the timestamp using HMAC SHA-256
const sig = crypto.createHmac('sha256', secret_key).update(t).digest('hex');

// 3. Construct the secure URL to pass to the client's  tag
const secureUrl = `https://api.powqr.com/api/render/${short_code}.svg?t=${t}&sig=${sig}`;
Python
import hmac
import hashlib
import time

secret_key = b'YOUR_SECRET_KEY'
short_code = 'xyz123'

# 1. Get current time in milliseconds as a string
t = str(int(time.time() * 1000)).encode('utf-8')

# 2. Hash the timestamp using HMAC SHA-256
sig = hmac.new(secret_key, t, hashlib.sha256).hexdigest()

# 3. Construct the secure URL
secureUrl = f"https://api.powqr.com/api/render/{short_code}.svg?t={t.decode()}&sig={sig}"
PHP
<?php
$secret_key = 'YOUR_SECRET_KEY';
$short_code = 'xyz123';

// 1. Get current time in milliseconds
$t = round(microtime(true) * 1000);

// 2. Hash the timestamp using HMAC SHA-256
$sig = hash_hmac('sha256', (string)$t, $secret_key);

// 3. Construct the secure URL
$secureUrl = "https://api.powqr.com/api/render/{$short_code}.svg?t={$t}&sig={$sig}";
?>

Campaign Management

  • GET /api/v1/campaigns - List all your campaigns
  • POST /api/v1/campaigns - Create a single campaign
  • GET /api/v1/campaigns/:id - Get a specific campaign by ID
  • PUT /api/v1/campaigns/:id - Update a campaign's design or destination
  • DELETE /api/v1/campaigns/:id - Archive a campaign

Analytics

  • GET /api/v1/analytics/overview - Global scan counts
  • GET /api/v1/analytics/timeline - 30-day global scan timeline
  • GET /api/v1/analytics/devices - Global OS breakdown
  • GET /api/v1/analytics/campaign/:id/timeline - 30-day campaign specific timeline
  • GET /api/v1/analytics/campaign/:id/devices - Campaign specific OS breakdown

Hosted Pages & Forms

  • GET /api/v1/resolve/:userSlug/:campaignSlug - Resolve hosted page config
  • POST /api/v1/forms/submit/:short_code - Submit data to a hosted page form
  • GET /api/v1/forms/campaign/:id - Retrieve all form submissions for a campaign

Templates

  • GET /api/v1/templates - List saved templates
  • POST /api/v1/templates - Save a new template
  • DELETE /api/v1/templates/:id - Delete a template