QR codes are the core identity primitive in PermisosQR. Each code is a numeric ID stored in the database with a lifecycle status ofDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/edgar2420/QrPermision/llms.txt
Use this file to discover all available pages before exploring further.
available, active, expired, or disabled. Authenticated operators manage the pool of codes through the protected endpoints below; the public endpoints allow a mobile browser — scanning the physical QR label — to activate and close a permission without needing a pre-issued JWT.
Authenticated Endpoints
All endpoints in this section require anAuthorization: Bearer <token> header obtained from POST /api/auth/login.
GET /api/qr
Returns a paginated list of all QR codes, optionally filtered by status or ID fragment. Each record is joined with the active permission (if any) to expose real-time bearer and exit information. Auth required: Bearer Query parametersFilter by QR lifecycle status. One of
available, active, expired, or disabled.Partial match against the numeric QR ID (e.g.
"42" matches IDs 42, 142, 420).Page number. Defaults to
1.Records per page. Defaults to
20.POST /api/qr/generate
Bulk-generates a specified number of new QR codes, all withavailable status. Restricted to Super Admins.
Auth required: Bearer — Super Admin only
Number of QR codes to create. Must be between
1 and 500 (inclusive).| Status | Condition |
|---|---|
400 | quantity is missing, less than 1, or greater than 500 |
403 | Authenticated user does not have the super_admin role |
GET /api/qr/:id
Fetches a single QR code by its numeric ID, including joined permission details if the code is currently active. Auth required: Bearer Path parameter:id — integer QR code ID
Response 200 — Same QRCode object shape as GET /api/qr.
Error responses
| Status | Condition |
|---|---|
404 | No QR code with the given ID exists |
PATCH /api/qr/:id/disable
Sets a QR code’s status todisabled, preventing it from being scanned or activated. Cannot be applied while the code is actively in use.
Auth required: Bearer
Path parameter: id — integer QR code ID
Response 200 — Updated QRCode object (full row from qr_codes).
Error responses
| Status | Condition |
|---|---|
400 | QR status is currently active — close the open permission first |
404 | QR not found |
PATCH /api/qr/:id/reactivate
Restores adisabled or expired QR code to available status so it can be activated again.
Auth required: Bearer
Path parameter: id — integer QR code ID
Response 200 — Updated QRCode object with status: "available".
Error responses
| Status | Condition |
|---|---|
400 | QR is already active |
404 | QR not found |
DELETE /api/qr/:id
Permanently removes a QR code and all associated permission records from the database. This action is irreversible. Restricted to Super Admins. Auth required: Bearer — Super Admin only Path parameter:id — integer QR code ID
Response 200
| Status | Condition |
|---|---|
400 | QR is currently active — cannot delete a code in use |
403 | Authenticated user is not a Super Admin |
404 | QR not found |
Public Endpoints
These endpoints do not require a pre-issued JWT. Instead, they accept anemail and password in the request body to identify the operator performing the action. They are designed to be called directly from a mobile browser that has scanned a physical QR label.
GET /api/qr/public/:id
Returns the current public-facing state of a QR code — enough information for a mobile UI to show the bearer’s name, remaining time, and compliance status. No credentials required. Auth required: None Path parameter:id — integer QR code ID
Response 200
POST /api/qr/public/:id/enable
Activates a QR code from a mobile scan. The operator supplies their credentials in the body; the server validates them against theusers table, then atomically creates a permission record and flips the QR status to active. exit_time is set to NOW() at the moment of the database write.
Auth required: None (credentials in body)
Full name of the person receiving the pass (e.g. employee or visitor name).
Time budget in minutes granted for this exit. Defaults to
15 if omitted.Email of the operator authorising the exit. Verified against the database.
Plaintext password of the authorising operator. Compared against the stored bcrypt hash.
GET /api/qr/public/:id, now with status: "active" and a populated exit_time).
Error responses
| Status | Condition |
|---|---|
400 | receivedBy is missing; or email/password is missing; or QR is not in available status |
401 | Operator email not found, or password does not match stored hash |
403 | Operator account is inactive (is_active = false) |
404 | QR not found |
POST /api/qr/public/:id/return
Closes an active permission from a mobile scan. The server verifies operator credentials, then calculatestime_used_minutes, delay_minutes, and is_compliant before resetting the QR to available.
Compliance rule: A permission is compliant (is_compliant: true) when delay_minutes <= 0, i.e. the bearer returned before or exactly at the allowed_minutes deadline.
Auth required: None (credentials in body)
Email of the operator recording the return.
Plaintext password of the operator recording the return.
| Status | Condition |
|---|---|
400 | email/password is missing; or QR is not in active status |
401 | Operator email not found, or password does not match stored hash |
403 | Operator account is inactive (is_active = false) |
404 | QR not found, or no open permission record found |