Google2Fa Qrcode Laravel Package

Getting Started

Install the package with Composer: composer require pragmarx/google2fa-qrcode. Since this is only the QR rendering layer, also install the core TOTP validator: composer require pragmarx/google2fa. Begin by generating a secret and embedding a secure QR inline — the most common first use case is adding 2FA setup during user registration or security configuration.

Example in a controller method:

use PragmaRX\Google2FAQRCode\Google2FA;

$google2fa = new Google2FA();
$secret = $google2fa->generateSecretKey(16, $user->id);
$inlineSvg = $google2fa->getQRCodeInline(
    'MyApp', 
    $user->email, 
    $secret
);

return view('2fa.setup', compact('secret', 'inlineSvg'));

Then render it in Blade with <img src="{{ $inlineSvg }}" alt="Scan this QR to enable 2FA">.

🔍 First stop: Check the pragmarx/google2fa README for core methods like verifyKey(), getCurrentOtp(), and storing secrets.

Implementation Patterns

• Inline SVG/PNG (recommended): Use getQRCodeInline() to embed data URIs directly — keeps TOTP URLs off the network, preventing secret leakage. Ideal for production 2FA enrollment flows.
• Laravel-specific workflow: Store secrets encrypted in DB using $user->merge(['google2fa_secret' => $secret]) with encrypted cast. In middleware or 2FA verification step, validate input via $google2fa->verifyKey($user->google2fa_secret, $otp) after decoding with base64_decode().
• Custom QR rendering backend: Swap defaults for SVG output or to avoid Imagick:

  $google2fa->setQrcodeService(
      new \PragmaRX\Google2FAQRCode\QRCode\Chillerlan(
          new \chillerlan\QRCode\Output\QROutputSvg()
      )
  );
  

• AJAX enrollment: Return QR inline via an API endpoint, inject into DOM on success — no full-page reload needed during 2FA setup.
• Flexible format control: Configure output type (PNG/SVG/HTML) per backend; Chillerlan defaults to SVG (no Imagick), Bacon defaults to PNG (requires Imagick unless overridden).

Gotchas and Tips

• Renderer is optional in v2+: You must install a QR backend manually (bacon/bacon-qr-code or chillerlan/php-qrcode). Without it, calls to getQRCodeInline() or getQRCodeGoogleUrl() will fail silently or throw errors.
• Imagick gotcha: BaconQrCode’s default renderer needs the Imagick PECL extension. If avoiding system dependencies, use chillerlan/php-qrcode (SVG-only by default) or override backends explicitly with SvgImageBackEnd().
• Insecure Google API is risky: setAllowInsecureCallToGoogleApis(true) must be called before getQRCodeGoogleUrl(). Avoid in production — secrets in URLs may leak via referrers, logs, or analytics.
• SVG header idempotency: The package filters duplicate <svg> headers since v2.1.1, but custom renderers must emit clean SVG to avoid broken <img> tags.
• Testing tip: Install khanamiryan/qrcode-detector-decoder in require-dev to programmatically decode generated QRs and verify the embedded secret matches:

  $decoder = new \Khanamiryan\ImageDecoder\ImageDecoder();
  $decoded = $decoder->decode($inlineSvg); // verify secret matches
  

• Version lock tightly: Google2FA-QRCode v3+ supports multiple Google2FA versions (v4–v8). Use Composer constraints like "pragmarx/google2fa-qrcode": "^3.0" and align with "pragmarx/google2fa": "^8.0" to avoid BC breaks.