you don't have to pass us credentials, you could use a one time use token that will request the username and password from your server instead.
the QR Code format is pretty useless, it's a shortened link to our website, it contains very little data, because the QR code can't be too detailed or it gets hard to scan.