expiry, explained
Do QR codes expire?
No — the QR standard has no expiry date. What actually expires is a paid dynamic code's redirect server. Here's what really stops a code working, and what never can.
The short answer
No — not the code itself. A QR code is a printed pattern of black and white squares, and there is no clock ticking inside it. The international standard that defines QR codes, ISO/IEC 18004, describes how to encode data, the symbol sizes, the error-correction maths and the reference algorithm for decoding the grid. Nowhere in it is there a field for an expiry date, an owner, an account or a server, and nothing in the format makes a code stop working. So when someone tells you a QR code “expired”, something more specific is going on — and it’s almost always the same thing.
Then why do people say theirs expired?
Because two very different things both get called “a QR code”, and only one of them can be switched off.
- A static code holds its data directly in the pattern. The URL, the WiFi password, the contact card — the squares are the data. There’s no server, no account and no lookup behind it. A scanner decodes it right there on the phone, so there is nothing to lapse, nothing to cancel, nothing to run out. It cannot expire.
- A dynamic code holds a short redirect URL, usually controlled by a third-party vendor — something like
vendor.co/abc123. Every scan hits that vendor’s server, which then forwards the phone to the real destination. That server is the moving part, and it’s the part that can be turned off.
What people experience as a QR code “expiring” is almost always a dynamic one. The subscription lapses, the free trial ends, a scan cap is hit or the platform shuts down — the vendor stops resolving the redirect, and the scan lands on an “expired” page, an upsell, or nowhere at all. The printed squares are completely unchanged. It’s not the code that died; it’s the server behind it. If the static-versus-dynamic split is new to you, static vs dynamic QR codes walks through it slowly.
The standard genuinely has no concept of expiry
This is worth being precise about, because it’s the whole point. ISO/IEC 18004 (current edition 2024) has no expiry mechanism anywhere in it. There is no “valid until” field and no rule that makes a symbol go stale.
You can, if you want, write a date into the data itself — a URL like example.com/menu?expires=2026-01-01, or the standardised GS1 “use-by” identifier that some product codes carry. But those are just inert characters sitting in the payload. No ordinary phone scanner reads that date, checks the calendar and refuses to open the link. The standard gives you a place to store a date; it gives nothing that acts on one. That’s exactly why a dynamic code’s expiry has to live in the redirect server it points at, not in the printed pattern — the pattern has nowhere to keep a timer.
So who decides when a dynamic code stops? The vendor does
Deactivation isn’t a property of QR codes — it’s a business decision by whoever runs the redirect. And the terms vary:
- Most paid platforms cut the redirect the moment a trial or subscription lapses, often immediately, with no grace period. The code goes dead the day the card is declined.
- Some keep it live for a grace window — reported ranges run roughly 7 to 30 days — before pulling the plug.
- Some deliberately hand you the switch, letting you set your own expiry date or a scan cap so the code retires on your schedule.
The one dependable rule across all of them: whoever controls the redirect decides when it stops resolving. If that’s a vendor, it’s their call, on their terms.
The irony worth noticing
Search “do QR codes expire?” and most of the pages you’ll find are published by companies selling dynamic-QR subscriptions. To their credit, they usually state the facts correctly — static codes never expire. Then they use it: a static code, they point out, “can’t be fixed” if its destination ever breaks, so you should pay for a dynamic code to stay in “control”.
Here’s the twist. Dynamic codes are the ones that actually stop working, precisely because they route through a vendor-controlled redirect that dies when the billing does. The expiry risk being sold to you as the reason to pay is, in large part, created by the very product sold as the cure. Worth keeping in mind when you read that a static code is a liability.
When a static code can still appear to break
Honesty cuts both ways, so here are the ways a code that can’t “expire” might still stop doing its job. None of them is expiry, but they can feel like it:
- Link rot. The code is perfect; its destination moved, was taken down, or now returns a 404. The scan works — it just arrives at a dead page. This is common: a 2024 Pew Research study found 38% of webpages that existed in 2013 were no longer accessible a decade later, and estimates of the average page’s lifespan run to only a couple of years. The fix is to restore or redirect the destination, not to reprint the code.
- Physical wear. UV and sunlight fade the ink and drop the contrast a scanner needs; smudges, moisture, scratches, tears and warping damage the modules. Error correction absorbs some of this — the four levels tolerate roughly L ~7% to H ~30% of damage — but not unlimited amounts, and it can’t rescue a destroyed corner finder pattern. For codes living outdoors or getting handled a lot, print bigger, matte and on durable stock; what makes a good QR code covers the details.
What doesn’t happen is digital decay. A static code doesn’t “time out” with age. Decoding is deterministic image processing, not a network call, so a code generated years ago decodes identically today. If a code that used to work suddenly won’t, the culprit is one of the above — see why won’t my QR code scan? to narrow it down.
What about codes you make at dottr?
Every code dottr generates is static, and it’s drawn entirely in your browser — no account, nothing stored on a server, no redirect of ours behind it. That means there is simply nothing that can expire: no subscription to lapse, no trial to end, no platform that could go dark and take your code with it. The pattern is the data, and it’s yours. You can make one free in your browser and it’ll keep working for as long as its destination stays live.
If you want the option to re-aim it later
There’s one honest trade-off. Because a static code is permanent, you can’t change where it points after it’s printed. If you might need to — a menu URL that’ll change, a campaign page that’ll move — put a short link you control in front of it before you generate the code. The printed squares stay fixed forever, but you re-aim the link in seconds.
Just go in clear-eyed: a redirect is a dependency, and whoever runs it decides whether it keeps resolving. A free shortener can shut down or start charging. The way to minimise that risk is to own the link — use your own domain, so if a provider disappears you just update where it points and every printed code carries on working. That’s the same lever the paid platforms sell, without renting it.
QR codes don’t expire; redirect subscriptions do. If you want a code that can’t be switched off by anyone, build a QR code at dottr — it’s free, runs entirely in your browser, and nothing you type ever leaves your device.