Documentation - qrserra

Static QR tools

Static QR codes are generated in the browser. The standard PNG flow is free and does not require an account.

Dynamic workspace

Saved QR codes, editable destinations, analytics, custom domains, and account history use Supabase-backed workspace records.

Crypto billing

Billing is direct-wallet crypto only. Quotes use exact amounts so chain scanners can match payment attempts safely.

Security controls

Protected routes use Supabase sessions, workspace ownership checks, request validation, rate limits, and server-only service credentials.

Product

What users can do

qrserra separates browser-only static QR generation from account-backed dynamic QR workflows. Free static generation stays useful without hiding the paid workflow.

Free static QR

Use URL, text, Wi-Fi, vCard, email, SMS, phone, menu, review, and event QR tools.

Customize colors and shapes, preview instantly, copy content, and download standard PNG.

Visible Pro features

Logo upload, SVG export, high-resolution PNG, dynamic saves, analytics, domains, API, and teams are visible in context.

Locked features explain the required plan instead of pretending to work.

Account workflows

Dashboard routes require authentication and read workspace-scoped QR data.

Saved QR records, scan telemetry, domains, billing, support chat, and admin screens depend on the live Supabase schema.

API

Protected app routes

The public v1 API is still a roadmap surface. The current production app routes already use the same core protection model that the future external API should keep.

RoutePurposeProtection

GET /api/qrs

List saved QR records for the signed-in workspace.

Supabase auth, workspace membership, rate limit.

POST /api/qrs

Create a dynamic QR code when the workspace plan allows it.

Same-origin, JSON-only, body limit, zod validation, plan check.

GET /api/qrs/[id]

Read one workspace QR record by id.

Supabase auth, workspace ownership, id validation, rate limit.

PATCH /api/qrs/[id]

Update title, destination, status, or design settings.

Same-origin, JSON-only, body limit, zod validation, plan check.

DELETE /api/qrs/[id]

Archive a QR record without deleting scan history.

Same-origin, workspace ownership, plan check, rate limit.

GET /q/[shortId]

Redirect active dynamic QR scans to safe http or https destinations.

Short id validation, safe URL validation, no-store redirect, limited telemetry writes.

Security

How abuse is controlled

The security model is layered: browser request checks, server validation, Supabase ownership, service-role isolation, rate limits, and deployment headers each cover a different failure mode.

Authentication

Dashboard and admin pages require Supabase sessions. Google sign-in exchanges a Google ID token for a Supabase session on the server.

Authorization

Workspace reads and writes are scoped by workspace membership. Admin routes require owner-admin session access or a Supabase profile marked as admin.

Request validation

Mutation endpoints reject cross-site browser requests, non-JSON bodies, oversized JSON, unsafe URLs, invalid ids, and invalid QR payloads.

Rate limits

Public API reads, mutations, session polling, health checks, auth actions, chat actions, QR scan telemetry, and crypto actions have app-level rate limits.

Secrets

Service-role keys, cron secrets, scanner API keys, Resend keys, and domain automation tokens stay server-side. NEXT_PUBLIC values are intentionally public.

Headers

Production responses include CSP, HSTS, frame blocking, no-sniff, referrer policy, and a restricted permissions policy.

Billing

Direct-wallet crypto flow

Crypto checkout does not trust client values for settlement. The server creates the quote, scanners verify chain activity, and the database function applies credits idempotently.

1User chooses a plan and crypto asset.
2The server creates a direct-wallet payment quote with an exact amount.
3The QR code encodes the wallet payload when the chain has a reliable payment URI.
4The chain scanner looks for the exact amount on the selected network.
5Confirmed payments settle through the database authority and create credit ledger rows.
6Admin payment screens show pending, confirming, confirmed, expired, and failed attempts.

Readiness

Production checks

These checks explain what has to be true before account-backed features, API persistence, admin views, chat, and billing can be considered live.

Apply supabase/schema.sql before relying on saved QR, account, admin, chat, or billing data.

Run npm run env:check for local secret shape checks.

Run npm run env:check:live after production keys and schema are applied.

Call /api/health for public uptime checks.

Call /api/health?deep=1 with Authorization: Bearer <CRON_SECRET> for backend readiness.

Use platform-level DDoS or WAF protection for volumetric traffic; app limits protect normal spam and resource abuse.

Loading qrserra

Static QR tools

Static QR codes are generated in the browser. The standard PNG flow is free and does not require an account.

Dynamic workspace

Saved QR codes, editable destinations, analytics, custom domains, and account history use Supabase-backed workspace records.

Crypto billing

Billing is direct-wallet crypto only. Quotes use exact amounts so chain scanners can match payment attempts safely.

Security controls

Protected routes use Supabase sessions, workspace ownership checks, request validation, rate limits, and server-only service credentials.

Product

What users can do

qrserra separates browser-only static QR generation from account-backed dynamic QR workflows. Free static generation stays useful without hiding the paid workflow.

Free static QR

Use URL, text, Wi-Fi, vCard, email, SMS, phone, menu, review, and event QR tools.

Customize colors and shapes, preview instantly, copy content, and download standard PNG.

Visible Pro features

Logo upload, SVG export, high-resolution PNG, dynamic saves, analytics, domains, API, and teams are visible in context.

Locked features explain the required plan instead of pretending to work.

Account workflows

Dashboard routes require authentication and read workspace-scoped QR data.

Saved QR records, scan telemetry, domains, billing, support chat, and admin screens depend on the live Supabase schema.

API

Protected app routes

The public v1 API is still a roadmap surface. The current production app routes already use the same core protection model that the future external API should keep.

RoutePurposeProtection

GET /api/qrs

List saved QR records for the signed-in workspace.

Supabase auth, workspace membership, rate limit.

POST /api/qrs

Create a dynamic QR code when the workspace plan allows it.

Same-origin, JSON-only, body limit, zod validation, plan check.

GET /api/qrs/[id]

Read one workspace QR record by id.

Supabase auth, workspace ownership, id validation, rate limit.

PATCH /api/qrs/[id]

Update title, destination, status, or design settings.

Same-origin, JSON-only, body limit, zod validation, plan check.

DELETE /api/qrs/[id]

Archive a QR record without deleting scan history.

Same-origin, workspace ownership, plan check, rate limit.

GET /q/[shortId]

Redirect active dynamic QR scans to safe http or https destinations.

Short id validation, safe URL validation, no-store redirect, limited telemetry writes.

Security

How abuse is controlled

The security model is layered: browser request checks, server validation, Supabase ownership, service-role isolation, rate limits, and deployment headers each cover a different failure mode.

Authentication

Dashboard and admin pages require Supabase sessions. Google sign-in exchanges a Google ID token for a Supabase session on the server.

Authorization

Workspace reads and writes are scoped by workspace membership. Admin routes require owner-admin session access or a Supabase profile marked as admin.

Request validation

Mutation endpoints reject cross-site browser requests, non-JSON bodies, oversized JSON, unsafe URLs, invalid ids, and invalid QR payloads.

Rate limits

Public API reads, mutations, session polling, health checks, auth actions, chat actions, QR scan telemetry, and crypto actions have app-level rate limits.

Secrets

Service-role keys, cron secrets, scanner API keys, Resend keys, and domain automation tokens stay server-side. NEXT_PUBLIC values are intentionally public.

Headers

Production responses include CSP, HSTS, frame blocking, no-sniff, referrer policy, and a restricted permissions policy.

Billing

Direct-wallet crypto flow

Crypto checkout does not trust client values for settlement. The server creates the quote, scanners verify chain activity, and the database function applies credits idempotently.

1User chooses a plan and crypto asset.
2The server creates a direct-wallet payment quote with an exact amount.
3The QR code encodes the wallet payload when the chain has a reliable payment URI.
4The chain scanner looks for the exact amount on the selected network.
5Confirmed payments settle through the database authority and create credit ledger rows.
6Admin payment screens show pending, confirming, confirmed, expired, and failed attempts.

Readiness

Production checks

These checks explain what has to be true before account-backed features, API persistence, admin views, chat, and billing can be considered live.

Apply supabase/schema.sql before relying on saved QR, account, admin, chat, or billing data.

Run npm run env:check for local secret shape checks.

Run npm run env:check:live after production keys and schema are applied.

Call /api/health for public uptime checks.

Call /api/health?deep=1 with Authorization: Bearer <CRON_SECRET> for backend readiness.

Use platform-level DDoS or WAF protection for volumetric traffic; app limits protect normal spam and resource abuse.

qrserra documentation

What users can do

Protected app routes

How abuse is controlled

Direct-wallet crypto flow

Production checks

qrserra documentation

What users can do

Protected app routes

How abuse is controlled

Direct-wallet crypto flow

Production checks