I've thought back to my idea of incorporating an ephemeral access token into the HTTP header and forwarding it via the URL so that whenever that happens, it's not a problem. a mobile user scans the identity card (with a string encoded by the URL, eg http://example.com/api/v1/genuine) and authenticates the user.
My goal is to print the identity card with QR code and log in to the application simply by scanning it. If it is authenticated, it will automatically take attendance.
The problem is how to create a coded QR identity card to connect to a mobile application. Quite simply, the user does not want to take the participation manually and does not want to set a password each time to log in to the application. Another requirement is that the application is not left connected all the time.