I am looking for a secure way to pass a secret key when the user scans a QR-code and goes to my url. This secret key is the key that is connected to one of my products(a smart speaker). If the secret key is valid, the user will be asked to login or register to couple their account to the product on my webpage. However after my research, QR-codes only pass data that is visible in the url. This brings along security issues even if the key is encrypted: the problem of users typing in adjacent values, the keys get saved in browser history (this means malicious code could sweep through a user’s browsing history and extract passwords, tokens, etc). They’re probably saved in my server’s logs and memory, ... . Is there a more secure way to pass secret information via a QR-code to a url?
Long story short - there is not. One usually would pass secrets as headers or in the body or the request, but you don't have this kind of flexibility when using QR codes.
Without understanding your business requirements fully, I would try to tackle the problem in the following way.