QRocodilla: Why We Built an Open-Source QR Code Studio

A printed QR code is a promise you can't patch — so we stopped renting it. QRocodilla is qoliber's MIT-licensed, self-hosted QR code studio and link shortener: dynamic codes on your own domain, deep styling, privacy-first analytics, one container. Here's why we built it — and why we're giving it to the community.
Skip to content
QRocodilla: Why We Built an Open-Source QR Code Studio

Open source · from the qoliber workshop

Why we built QRocodilla.

Our QR code studio and link shortener just hit 1.0 — MIT-licensed, self-hosted, free for anyone. It exists because of one belief: a printed QR code is a promise you shouldn't outsource. And we're giving it away because that's what we do — qoliber is one of the few companies in our market that doesn't just use open source, but builds it for others.

Jakub Winkler · Founder, qoliber · July 2026 · 6 min read

QRocodilla — an orange cartoon crocodile holding a QR code and an analytics chart

It started as an internal itch

For years we ran a tiny, private URL shortener on one of our servers. Nothing glamorous — a table of codes, a redirect, a click counter. We used it for slide decks, extension documentation, business cards, conference one-pagers. It was ugly, but it was ours: our domain, our database, our uptime.

Then QR codes crept into everything we print — booth banners, product packaging for clients, event badges — and we hit the wall every team eventually hits: the moment you want a QR code you can restyle, track, and repoint, you're pushed toward a subscription service that owns the most important part of the chain. So over a few intense weeks we rebuilt our little shortener into what it always wanted to be. And because sharing what we build is a habit at qoliber, not a marketing move, it was never really a question whether this one would be open source too.

The moment a QR code leaves a screen and lands on paper, you can't patch it. Reprint, or regret.

A printed QR code is a promise

The industry's answer to unpatchable print is the dynamic QR code: the code points at a short link, and the redirect can be changed later. It's the right idea — but in most tools, that redirect runs through somebody else's domain. Your packaging now depends on their pricing page. Let the subscription lapse, let the startup pivot, and every code you've ever printed dies with it — or worse, gets parked on an ad page.

QRocodilla self-hosts the promise. The short domain is yours, the database is a SQLite file on your disk, and the redirect will work for exactly as long as you decide it should. Destinations stay editable after printing, links can expire on a schedule, and a retired code returns an honest HTTP 410 instead of a surprise.

Scan data is personal data

Every scan of a hosted QR code sends someone's IP address, location, and device through a third-party tracker. "Free" QR generators monetize that. We do GDPR compliance work for a living, so for us this isn't a hypothetical — it's a liability we didn't want to hand to our clients' customers.

QRocodilla's analytics are privacy-first by construction: raw IP addresses are never stored, unique visitors are counted (optionally) through a daily-salted hash that makes cross-day tracking impossible by design, and there isn't a single third-party script in the entire app. You still get the numbers that matter — scans over time, referrers, devices, countries — without collecting what you'd rather not hold.

What's in the box

  • Dynamic short-link QRs

    Trackable codes on your own domain. Edit the destination after printing; set expiry dates.

  • Ten static QR types

    vCard, MeCard, Wi-Fi, email, phone, SMS, geo, calendar events, plain text, URLs.

  • A real styling engine

    Module and eye shapes, gradients, embedded logos, frames and captions — rendered server-side to crisp SVG and PNG.

  • Scannability guardrails

    Error correction auto-raises when you embed a logo, and the studio warns about low-contrast combinations before you print them.

  • Privacy-first analytics

    Scans, referrers, devices, countries — with no raw IPs stored, ever.

  • REST API

    Full CRUD, stats, and QR rendering behind bearer keys (only their hashes are stored).

Built the boring way, on purpose

At qoliber we build Magento extensions with one rule: clean, lightweight, future-proof. QRocodilla follows the same rule. It's Next.js and a single SQLite file — no Postgres cluster, no Redis, no S3 bucket, no background workers. Backing it up means copying a folder. Every dependency you don't add is a dependency you never have to debug at 2 a.m.

QR rendering is our own SVG engine on the server (no headless browser, no canvas), the admin password is scrypt-hashed, logins are rate-limited, uploads are validated by magic bytes — and the whole thing ships with a test suite we actually trust.

1 container · 0 external services · 283 tests · MIT

Why give it away?

Here's an uncomfortable truth about our industry: almost everyone runs on open source, and almost nobody gives anything back. Agencies build entire businesses on free software and keep every line they write behind a client contract. We've chosen to be different — qoliber is one of the few companies on this market that actually cares about open source and builds it for others, not just for ourselves. We contribute to the ecosystems we live in — MageOS, Hyvä, the wider Magento community — and we release real, maintained tools, because we know first-hand that those ecosystems only exist thanks to people who shared their work with us.

QRocodilla is the newest addition to that lineup. There's no upsell waiting behind a feature flag, no "community edition" ceiling, no email wall. It's MIT. Run it for your agency, your restaurant, your conference. Fork it, white-label it, put your own mascot on it. And if it saves you from ever printing ten thousand boxes with somebody else's subscription baked into the artwork — it did its job.

Try it in two minutes

# clone, configure, run
git clone https://github.com/QRocodilla/qrocodilla.git && cd qrocodilla
cp .env.example .env   # set SESSION_SECRET (openssl rand -hex 32)
docker compose up -d

Open http://localhost:3000, claim your admin account in the setup wizard, and print something you'll never have to regret.

Jakub Winkler is the founder of qoliber, a Magento development agency building clean, lightweight, future-proof extensions — and one of the few companies on the market that builds and maintains open-source tools for the community. QRocodilla is qoliber's open-source QR code studio & link shortener — MIT-licensed on GitHub.

Jakub Winkler
Written by Jakub Winkler

Specialist in optimization and efficiency of store platforms. He has been actively working in the eCommerce industry for 14 years, dealing with the architecture of eCommerce systems and application performance optimization. Founder of the qoliber brand, active developer and author of the bestseller "Mastering Adobe Commerce Frontend". His passion is improving the speed and efficiency of online stores. 

Share by

Featured Products