QR Developer Certification

API keys should always follow the least-privilege principle: a key used for generating QR codes should not have permission to delete them. Rotating API keys every 90 days and using separate keys for development, staging, and production environments prevents a single key compromise from affecting your entire QR infrastructure.

Create 3 API keys with different scopes: (1) read-only for your analytics dashboard, (2) create-and-read for your generation service, (3) full-access for your admin tool. Document the permission matrix and write a key rotation schedule.

Always use idempotency keys for QR code creation requests. If your network drops during a POST request, the client will retry and potentially create a duplicate code. An idempotency key (UUID in the Idempotency-Key header) ensures the server returns the original response instead of creating a duplicate.

Write a complete API client function (in JavaScript or Python) that creates a dynamic QR code with: custom colors, a logo, rounded dot pattern, Level H error correction, and a 90-day expiration. Include proper error handling for 400, 401, 429, and 500 responses with exponential backoff.

QRZONE uses cursor-based pagination instead of offset-based pagination. This means you use a 'cursor' parameter (an opaque token) to fetch the next page instead of 'page=2'. Cursor pagination is more performant at scale and prevents duplicate/missing results when data changes between requests.

Write a paginated data fetcher that retrieves ALL QR codes from an account, handling cursor-based pagination correctly. The function should: start with no cursor, loop until has_more is false, collect all results, and handle rate limit (429) responses with automatic retry. Test with a mock server.

The analytics API supports both polling (REST) and streaming (WebSocket) access patterns. For dashboards that update every 30 seconds, use the REST timeseries endpoint. For real-time displays that need sub-second updates (event venue dashboards, live campaign monitors), use the WebSocket stream.

Build a simple real-time scan dashboard using the WebSocket API. Connect to wss://stream.qrzone.io/v1/scans, authenticate with your API key, and display incoming scan events with: timestamp, country flag, device type icon, and the destination URL. Use a mock WebSocket server for testing.

Always verify webhook signatures before processing. The HMAC-SHA256 signature in the X-QRZONE-Signature header proves the webhook came from QRZONE servers, not an attacker. Skipping signature verification is the #1 security vulnerability in webhook integrations -- and it is trivially exploitable.

Implement a complete webhook handler in Node.js (Express) or Python (Flask/FastAPI). Include: HMAC-SHA256 signature verification, event_id deduplication using a database or Redis set, structured logging for each event type, and proper HTTP response codes (200 for success, 400 for bad signature, 500 for processing errors).

SDKs abstract away authentication, rate limiting, pagination, and error handling. The JavaScript SDK automatically retries on 429/500 errors with exponential backoff, handles cursor pagination transparently, and provides TypeScript types for every response object. Building directly on the REST API is only recommended when the SDK does not support your language.

Build a Next.js API route that generates a branded QR code using the JavaScript SDK. The route should: accept a URL and label in the request body, generate a dynamic QR code with custom colors and logo, return the QR image as a PNG response, and handle all error cases with appropriate HTTP status codes.

In serverless environments (AWS Lambda, Vercel Functions, Cloudflare Workers), create the API client outside the handler function to enable connection reuse across invocations. Creating a new client per request adds 50-100ms of unnecessary overhead from TLS handshake and authentication.

Design a production QR generation service architecture. Include: API client initialization (connection pooling), CDN caching layer with 1-hour TTL, database schema for QR metadata, health check endpoint, Datadog/Prometheus metrics, and a load test script that simulates 1,000 concurrent requests.

The certification exam tests practical knowledge, not memorization. Questions present real-world scenarios (e.g., 'Your webhook handler is receiving duplicate events. What is the correct deduplication strategy?') and expect you to choose the production-ready answer. Completing all practice exercises in this course is the best preparation.

Take the 10-question practice exam included in the course materials. Time yourself at 12 minutes (matching the per-question pace of the real exam). Review every incorrect answer and identify the specific lesson that covers the topic.