Headless QR decoder + TOTP authenticator Flask mini-service
Project description
qr-pypass
qr-pypass is a lightweight, headless QR decoding and TOTP authentication service built for offline-first security workflows.
It is designed for air-gapped labs, red-team and blue-team tooling, automation pipelines, and environments where QR codes and 2FA need to be processed locally, without mobile devices or cloud dependencies.
Homepage: https://ginkorea.one Source: https://github.com/ginkorea/qr-pypass PyPI: https://pypi.org/project/qrpypass/
What It Does
With qr-pypass, you can:
- Decode QR codes from screenshots or images
- Detect and classify QR payloads (URL, text, otpauth)
- Generate QR codes programmatically
- Generate, import, store, and verify TOTP (RFC 6238) secrets
- Run everything locally with no outbound network access
The project exposes both:
- A Python API for direct integration
- A Flask-based HTTP service with a minimal web UI
Core Features
QR Decoding
- Detects multiple QR codes anywhere in an image
- Uses OpenCV with multi-pass detection and tiling fallback
- Returns bounding boxes, corner points, and decode method
- Robust against screenshots, partial QRs, and large images
Payload Classification
Automatically classifies decoded payloads as:
url(with normalization)textotpauth(TOTP provisioning URIs)
TOTP / OTPAuth
- Generate RFC-compliant
otpauth://totpURIs - Import existing provisioning URIs
- Secure local storage (optional encryption at rest)
- Generate current TOTP codes
- Verify TOTP codes with configurable time window
QR Generation
-
Generate QR codes for:
- URLs
- Arbitrary text
- TOTP provisioning URIs
-
Control box size and border
-
Outputs PNG images
Service and Web UI
-
Flask-based HTTP API
-
Minimal web UI for:
- Uploading screenshots or images
- Viewing decoded QR payloads
- Generating QR codes
- Managing stored TOTP accounts
No JavaScript frameworks. No external assets.
Installation
From PyPI
pip install qrpypass
Python 3.9+ is required.
From Source (Development)
git clone https://github.com/ginkorea/qr-pypass.git
cd qr-pypass
python -m venv .qr-env
source .qr-env/bin/activate
pip install -r requirements.txt
pip install -e .
Running the Service
python -m qrpypass.service.run
By default, the service runs at:
http://127.0.0.1:5000
Configuration
The service can be configured using environment variables:
| Variable | Default | Description |
|---|---|---|
QRPYPASS_HOST |
127.0.0.1 |
Bind address |
QRPYPASS_PORT |
5000 |
Port |
QRPYPASS_DEBUG |
0 |
Enable Flask debug mode |
QRPYPASS_STORE_DIR |
~/.qrpypass |
Local account storage directory |
Web UI Routes
/– QR scan UI (upload screenshots or images)/gen– QR payload and TOTP generator/vault– Stored TOTP account management
API Overview
Health Check
GET /health
Scan QR Codes
POST /scan
Content-Type: multipart/form-data
Form fields
file(required) – image filemax_results(optional, default: 8)
Generate Payload
POST /gen/payload
Content-Type: application/json
{
"kind": "url | text | totp",
"params": { },
"import": false,
"passphrase": null
}
Generate QR Image
POST /gen/qr
Content-Type: application/json
{
"payload": "...",
"box_size": 8,
"border": 2
}
Returns image/png.
TOTP Endpoints
| Endpoint | Description |
|---|---|
POST /auth/import |
Import otpauth URI |
GET /auth/list |
List stored accounts |
GET /auth/code |
Get current TOTP code |
POST /auth/verify |
Verify TOTP code |
An optional passphrase encrypts the TOTP store at rest.
Python API Example
from qrpypass.qr import scan_and_classify
hits = scan_and_classify("screenshot.png")
for hit in hits:
print(hit.classification.kind, hit.qr.payload)
Testing
End-to-end tests are included:
python test/api-test.py
python test/full_api_smoke.py
python test/test_totp_verify_flow.py
These cover:
- QR generation → scan → classification
- TOTP generation, import, code generation, and verification
Security Notes
- Secrets are never logged
- TOTP storage can be encrypted at rest
- No outbound network access
- Suitable for air-gapped or lab environments
Common Use Cases
- QR extraction from screenshots (2FA enrollment, phishing analysis)
- Headless TOTP verification in security tooling
- Red-team and blue-team labs
- Offline QR decoding pipelines
- Local alternatives to mobile authenticator apps
License
MIT
Author
Josh Gompert https://ginkorea.one
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file qrpypass-0.1.2.tar.gz.
File metadata
- Download URL: qrpypass-0.1.2.tar.gz
- Upload date:
- Size: 15.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2b47a2296936f51e50124a6671d40aef7ebdaa88ea841e6d134b41822a09ddf7
|
|
| MD5 |
604d47fb81d8971823365972386792c6
|
|
| BLAKE2b-256 |
805ac81c7091090c3dcec5ceff83c00abc029f4c2aab1b9fabd2ebf66464c86a
|
File details
Details for the file qrpypass-0.1.2-py3-none-any.whl.
File metadata
- Download URL: qrpypass-0.1.2-py3-none-any.whl
- Upload date:
- Size: 17.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b8de551608969d211f080ec86b92c3902880dabca4a519588c4872c6624bedd0
|
|
| MD5 |
cd2f0d004a35ad8e3d27f66128f2f28f
|
|
| BLAKE2b-256 |
a7ccc2bacd462e9721191e395f61ecbcaf5161b17ccf97fedaa4725da8be1c15
|
