Dynamic vs static QR codes: what agencies need to know

Every QR code looks the same from across the room: a square of black and white dots. What you cannot see is the part that decides whether the thing earns its keep. Some codes are frozen the second they hit the printer. Others you can edit, redirect, and measure for years afterwards. If you run codes for clients, that one distinction is the difference between a printed asset you get a single shot at and one you reuse for years.

What a static QR code is

A static QR code holds the destination inside the pattern itself. Someone scans it, their phone reads the URL straight off the dots, and that is it. Nothing in between.

Two things follow. The destination is permanent: once it is printed, the URL is the URL forever. And you cannot measure anything, because the scan runs phone to destination with no stop along the way to record it. You will not know if it was scanned once or ten thousand times.

Static codes are simple and free to generate. For a lot of marketing work, that simplicity is also the ceiling.

What a dynamic QR code is

A dynamic code does not hold the destination at all. It holds a short link to a redirect you control (in ScanKit, a /r/ URL), and that redirect sends each scan wherever you have currently pointed it. Scan it, you sit on the redirect for a split second, then it forwards you on.

Because every scan runs through that redirect, you get two things a static code never can. You can change the destination whenever you like, without touching the printed code. And every scan gets logged, so you can actually see how many people scanned, when, and how it built across a campaign.

A quieter perk: cleaner codes

Dynamic codes usually scan better, too. A QR code's pattern gets denser the more it has to encode, and a static code holding a long URL stuffed with tracking parameters can get dense enough to struggle at small sizes. A dynamic code only ever encodes a short redirect link, so the pattern stays sparse. Less dense means it reads faster, shrinks onto a business card without falling apart, and blows up onto a billboard just fine.

Static vs dynamic at a glance

The same comparison, attribute by attribute:

• Editable after printing: static, no; dynamic, yes, in seconds.
• Scan tracking: static, none; dynamic, every scan, with timing, device, and rough location.
• Cost: static, free forever; dynamic, usually a subscription.
• Pattern density: static, grows with the URL; dynamic, always sparse and easy to scan.
• Lifespan: static, works as long as the destination page exists; dynamic, works as long as the provider's redirect stays online.
• If compromised: static, can only be fixed by reprinting; dynamic, redirect it somewhere safe in under a minute.

That trade is the whole decision in miniature: static gives up control and measurement for simplicity and independence; dynamic gives up a little independence for control and measurement.

The differences that actually bite on client work

Editing without a reprint

This is the one clients feel. A landing page expires, an offer ends, someone spots a typo, the campaign pivots. With a static code, each of those is a reprint. With a dynamic one, you change the destination in seconds and every flyer, poster, and sticker already out there points at the new page. The how and when of that is its own guide: changing a code's destination without reprinting.

Measurement and reporting

Agencies live or die on what they can show in a report, and a static code gives you nothing to show. A dynamic one gives you a scan count you can pin to a specific piece, placement, or client. That is what turns "we printed 5,000 flyers" into "those flyers pulled 1,240 scans, most of them the week we launched." What to do with that data is its own subject: which scan metrics matter.

Reusing one code across campaigns

A static code is married to one destination for life. A dynamic code is more like an empty slot you keep refilling. Print it once on durable signage, then repoint it season after season: summer menu, autumn promo, holiday booking page, the same square of dots the whole time.

Risk and control

A static code cannot be recalled. If its destination gets hijacked, goes dark, or just embarrasses the client, the code is dead and your only move is to reprint. A dynamic code you can send somewhere safe in under a minute.

Do QR codes expire?

This is the most common question about QR codes, and the answer has two halves. The pattern itself never expires: the dots are just an encoded address, and they will decode to the same thing in ten years as they do today. What can stop working is what they point at. A static code keeps working as long as its destination page stays live; it only dies if that page is moved or deleted. A dynamic code keeps working as long as the provider's redirect service stays online and your account is current; if the subscription lapses or the provider disappears, the redirect can stop resolving. So neither type expires on a timer, but a dynamic code adds a dependency on a live service. The practical takeaway for an agency is to treat that dependency as real: choose a provider that treats the redirect as critical infrastructure, and be wary of free generators that quietly expire dynamic codes after a trial.

Can you change or convert a static code?

No, and this catches people out. A static code's destination is fixed in the pattern, so once it is printed there is no editing it. You also cannot convert an existing static code to dynamic: converting just makes a brand new code that you have to reprint, while the static one already out in the world stays static. The only escape, if a static code is already printed, is to own the domain it points at and add a server redirect there yourself, which is the manual version of what a dynamic code does for you automatically. The lesson is simply to choose dynamic before you print anything you might ever want to change.

What about cost?

Static codes are free to generate, forever, with no limits, because nothing has to keep running once you make one. Dynamic codes are usually a subscription, because the provider runs the redirect and stores the analytics continuously. Pricing across the market tends to run from a small monthly fee for a handful of codes up to agency plans for managing many at once. The honest way to frame it: with a dynamic code you are paying for editability and measurement, and that cost is usually dwarfed by the print run you do not have to redo when a destination changes. For a one-off link that will never change and never needs tracking, paying anything is wasteful. For client work, the subscription is rounding error against a reprint.

Are QR codes safe? Quishing and the kill switch

QR security is worth a straight answer, because clients ask. The risk that has the FBI issuing public warnings is "quishing," QR phishing, where an attacker covers a legitimate code with a sticker of their own, or mails out codes that lead to credential-stealing pages. This risk attaches to QR codes in general, not to dynamic ones specifically, and a tampered sticker can sit over either type.

Where dynamic earns its keep on security is the kill switch. If a dynamic code's destination is ever compromised or defaced, the legitimate owner can repoint it somewhere safe in under a minute, with no reprint. A static code pointing at a hijacked page can only be fixed by pulling and reprinting it. The fair caveat is that a redirect, by its nature, hides the final URL behind a short link, which is the same property attackers exploit, so it cuts both ways.

On privacy, dynamic-code analytics are aggregate and anonymous by design: a count, a rough city, a device type, never a name. The one piece of personal data in play is the scanner's IP address, which reputable providers anonymise. Done that way, scan analytics stay aggregate and stay on the right side of GDPR.

When static is genuinely the right call

Dynamic is not always the answer. Static is fine when the destination truly will never change, like a permanent homepage or a fixed app-store link, when you do not need any scan data, and when you would rather not depend on a redirect service staying online. That last point is the honest trade: a dynamic code only works as long as the redirect resolves, so pick a provider that treats that redirect as critical infrastructure. But if you want a printed link that answers to nothing and no one, static is the simpler bet.

So which one?

The rule is short. If the destination might ever move, or anyone will ever ask how it did, go dynamic. For agency work that covers almost everything: campaigns end, offers rotate, and every client eventually asks what their money bought. Static is the exception, saved for the rare link that is set in stone and that nobody needs to measure.

Frequently asked questions

Do QR codes expire?

Not on their own. The code's pattern never expires. A static code works as long as its destination page exists; a dynamic code works as long as the provider's redirect service is live and the account is current.

Can you change a static QR code after printing?

No. The destination is fixed in the pattern, so you would have to generate and print a new code. Only dynamic codes can be edited after printing.

Are dynamic QR codes free?

Usually not. Static codes are free to generate; dynamic codes are typically a subscription, because the provider runs the redirect and stores the analytics. Some free dynamic codes exist, but they are often capped or time-limited.

Are dynamic QR codes safe?

The QR phishing risk applies to all codes, not to dynamic ones specifically. Dynamic codes add a security advantage: if a destination is compromised, you can repoint the code to safety instantly instead of reprinting. Reputable providers also anonymise scanner IPs for privacy.

Which is better for a business, static or dynamic?

For anything printed at volume, anything that might change, or anything you want to measure, dynamic. Static suits a permanent, unmeasured link and not much else.

The short version

Two codes that look identical, one of which you can fix, reuse, and measure for years while the other is set in stone the moment it prints. For most client work that makes the choice easy. Go dynamic by default, keep static for the rare link that is truly carved in stone, and you will never reprint a campaign over a typo again.