Developers
API & Webhooks
Generate and manage QR codes programmatically, and get notified of every scan in real time. The Qre.gg REST API is authenticated with an API key and returns JSON — wire it into your own apps, automations and back ends.
API & webhooks are available on the Teams plan. The full reference is below.
The Qre.gg REST API lets you create and manage QR codes from your own apps. Every request is authenticated with an API key and returns JSON. New to APIs? Just follow the steps below.
Create an API key
Open the API keys tab and click Create key. Copy the key immediately — it's shown only once. Treat it like a password and keep it on your server, never in client-side code.
Make your first request
Send the key as a Bearer token. This creates a dynamic QR that redirects to a URL:
curl -X POST https://qre.gg/api/v1/codes \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"type": "url",
"mode": "dynamic",
"title": "My first code",
"payload": { "url": "https://example.com" }
}'The response includes the id and shortCode. Your QR points to qre.gg/{shortCode}.
Or use JavaScript
const res = await fetch("https://qre.gg/api/v1/codes", {
method: "POST",
headers: {
"Authorization": "Bearer YOUR_API_KEY",
"Content-Type": "application/json",
},
body: JSON.stringify({
type: "url",
mode: "dynamic",
payload: { url: "https://example.com" },
}),
});
const { data } = await res.json();
console.log(data.shortCode);Endpoints
| GET | /api/v1/codes | List your codes (paginated) |
| POST | /api/v1/codes | Create a code |
| GET | /api/v1/codes/{id} | Fetch a single code |
| PATCH | /api/v1/codes/{id} | Update title / destination / active |
| DELETE | /api/v1/codes/{id} | Delete a code |
Rate limit: 60 requests/minute per key. Unauthenticated or invalid keys get 401; over the limit returns 429.
Get notified with webhooks
Add a webhook in the Webhooks tab with your endpoint URL and the events you care about. The main one is scan — it fires every time one of your QR codes is scanned (lifecycle events code.created, code.updated, code.deleted are available too). A scan delivery looks like:
{
"event": "scan",
"data": {
"scans": [
{
"code": { "id": "...", "shortCode": "Ab3xY7z" },
"scan": {
"timestamp": "2026-01-01T12:00:00.000Z",
"country": "US",
"city": null,
"device": "mobile",
"os": "iOS",
"browser": "Safari",
"referrer": null
}
}
]
},
"timestamp": "2026-01-01T12:00:00.050Z"
}Scan events are delivered asynchronously (within a few seconds), batched into a scans array, retried with backoff on failure, and never include raw IP addresses.
Every request is signed. Verify the X-Qregg-Signature header (sha256=<hmac>) with your webhook secret before trusting it:
import crypto from "crypto";
function verify(rawBody, signatureHeader, secret) {
const expected =
"sha256=" + crypto.createHmac("sha256", secret).update(rawBody).digest("hex");
return crypto.timingSafeEqual(
Buffer.from(expected), Buffer.from(signatureHeader)
);
}Use the Send test button on any webhook to fire a sample ping event and confirm your endpoint is reachable.