Skip to main content
All articles
Product5 min read

Why Screenshot Tickets Are a Problem (And How We Solved It)

A static QR code can be forwarded to 10 people. Our animated, HMAC-rotating tickets can't.

When a school starts charging for tickets to a show or event, a new problem appears: ticket sharing. One family buys two tickets, takes screenshots of the QR codes, and forwards them to four other families. The venue hits capacity and the school has no idea why their revenue doesn't match their headcount.

Static QR codes — the kind most ticket platforms generate — are essentially just a string of characters encoded as an image. Once that image is saved or forwarded, you have no control over how many people present it at the door.

The problem with static QR codes

A standard QR ticket works like this: the ticket contains a fixed code, the scanner looks up that code in a database, and if it's valid and hasn't been scanned yet, the person gets in. Scan it twice and it's rejected the second time.

The issue is that 'scan it twice' requires the first scan to have already registered. If two people show up at different entrances at the same moment with the same screenshot, one of them gets through before the system blocks the other. And at a school event with a PTA-run check-in, 'scan it twice' fraud is nearly impossible to catch in real time.

The screenshot problem is worse than most coordinators realize

A parent doesn't even need to be intentionally fraudulent. They show their ticket on their phone, the volunteer scans it, and the parent walks in. They leave the screenshot open in their camera roll. A sibling sees it. A grandparent asks for a copy 'just in case.' Within one family, a single ticket can legitimately turn into four presentations.

Time-windowed HMAC signatures: the fix

SignUpSpree's tickets use a different approach. Instead of a static QR code, we generate codes that change every 30 seconds using HMAC-SHA256 cryptographic signatures.

Here's how it works: the QR code contains a ticket token, the current 30-second time window, and a cryptographic hash of those two values signed with a secret key. When a scanner reads the code, it verifies the signature and checks that the time window is current (we allow a 60-second grace period for slow scanners).

A screenshot of the QR code is useless within 90 seconds. A screenshot taken yesterday is always invalid. A screenshot forwarded to another phone shows a code that's already expired.

The animated display makes fraud obvious

On top of the cryptographic rotation, the ticket display itself is animated — the background gradient continuously rotates through colors, and a live countdown timer shows seconds until the next QR refresh. A static screenshot is immediately obvious to any volunteer checking tickets: the colors aren't moving, the countdown isn't running.

You don't need sophisticated technology at the door. Any volunteer can spot a fake in two seconds.

The ticket page also shows 'ALREADY CHECKED IN' in red overlay if the ticket has been used, so re-entry attempts are immediately visible.

Why this matters for free events too

Even when tickets are free, capacity limits exist for fire code compliance. An auditorium rated for 300 people can't safely hold 400, regardless of how many paid. Reliable check-in gives coordinators real headcount data and lets them stop entry when capacity is reached.

See the full ticketing and check-in system in SignUpSpree.

Explore ticketing features

More from the blog

Product

The Best SignUpGenius Alternative for Schools in 2026

7 min read

Tips

5 Ways to Reduce Volunteer No-Shows at School Events

5 min read

How-to

How to Run a Fair Ticket Lottery for Your School Show

6 min read