Skip to content
This repository has been archived by the owner. It is now read-only.
Minimal SQRL WIP
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Python SQRL (Secure QR Login) Client

What is SQRL?

A newly proposed authentication scheme from Steve Gibson of It allows for user authentication without the need of:

  • Username / Password pair
  • OTP (One Time Password)
  • Third party Interactions
  • Revealing your identity during login
  • An in-band authentication exchange

In a normal web authentication system your credentials are stored with the site you are trying to access. If the site were to be compromised yours and every other users' account information may be accessible; allowing the intruder to attempt to use your credentials elsewhere. The best part about SQRL is that the site never has your login credentials. With SQRL you never send your "password". The site authenticates you by verifying your identity by using a private / public key signature. This ends up being vastly more secure.

Details can be found here:

The SQRL protocol is new and is subject to change. I'll try my best to follow the published implementation found here:


This package requires ed25519, docopt and pyinotify

 git clone
 cd sqrl
 sudo python install


 Usage: sqrl [-d] [-n] [--path=<Dir>] <SQRLURL>

      -d               Debugging output
      -n               Notify via libnotify (Gnome)
      -p --path=<Dir>  Path for config and key storage

     sqrl "sqrl://"

You feed the sqrl URL provided by the authentication service to the script and it uses it to submit an authentication request on your behalf. Depending on how the site is designed, you may automatically get logged in. It's that simple.


  • Debug - Displays the content of the payload to you for verification
  • Notification - Displays notifications on successful or failed auth attempts (Gnome Only)


When the [-d] argument is given the script outputs all the components of the request.

Url: localhost:8080/sqrl?nut=1bfe7ef6f9989bd5709d61f7ac28195e&sqrlver=1&sqrlkey=Zl_nrges0MGPRelRoH9SEwwPcARQSA0QmYNx-ZDcOKU
Domain: "localhost"
SQRLver: 1
SQRLsig: LtYQU_j5Lwp6c0TrWEGhP0tj5o_PM8yni_tLmrG375aEIkUNdJzWl_XmLUN-dtZHuKWP1pf8iNUVSSyYRq3QDA
signature is good
You can’t perform that action at this time.