How QR Labels work (the QR codes inside) in ItemTrack
A QR code in ItemTrack is just a printed URL. The URL contains a 12-character random token. When someone scans the sticker, their phone opens the URL, our server looks up what the token points to, and shows the right page.
The lifecycle
Every QR code goes through three states.
1. Generated, in pool
When an admin generates a batch of QR codes, they're created as random tokens with no owner. They sit in the platform's QR pool waiting to be allocated.
2. Allocated, unclaimed
You allocate codes to your account from the pool (one click on the QR codes page). Now they're yours but not yet pointing at anything specific. You can print them, you can hand the printed sheet to whoever, but scanning one shows: "This code is unclaimed. Sign in to claim it."
3. Claimed
When you create a box (or item, closet, location) and pick one of your unclaimed codes for it, the code becomes claimed. The token is now permanently associated with that resource. Scanning it now shows the resource page.
What a scan does
The scan opens a URL like https://store.sampletrack.one/q.php?t=abc123XYZ45. The resolver:
- Looks up the token. If not found → 404.
- Checks if it's claimed. If not → "claim this code" page.
- Identifies what it points to (item, box, closet, location).
- Redirects to that resource's view page (
/items/view.php?id=..., etc.).
If the scanner is signed in to the account that owns the resource, they see the full edit-capable view. If they're signed in to a different account or signed out, they see the public/shared view (limited fields, no encrypted data).
Why a token, not a numeric ID
Three reasons:
- Privacy — sequential IDs would let anyone enumerate stickers (
/q?t=00001,/q?t=00002, ...). A 12-character token is a 64-bit space; you can't guess valid ones. - Stability — the token survives database migrations, account moves, and database resets in a way that internal IDs don't.
- Rotatability — you can rotate a code (revoke + replace) without breaking the resource itself. The resource keeps its ID; only the token changes. See Rotating a QR code.
A QR code does NOT contain your data
The QR encodes only the URL. Nothing about the contents — no titles, no photos, no serial numbers — is on the sticker. If someone scans your sticker, they get the URL, then they hit our server, which decides what (if anything) to show them based on whether they're signed in.
This means:
- A printed sticker on its own is harmless. Someone finding a discarded sticker can't read your data from it.
- If you change the title or photos of an item, the printed sticker doesn't need to be reprinted — the URL still works.
- If you delete the resource, the sticker becomes a dead link until you reattach the token to a new resource.
Token format
Each token is 12 characters from [A-Za-z0-9]. That's about 71 bits of entropy. Tokens are unique within the entire platform, not just per-account.
Quotas
Your plan has a max number of QR codes per account. The Personal tier ships with 15 codes. Family ships with 100. Pro is configurable. See Allocating QR codes for hitting the limit.