Skip to main content

OpenPath (Avigilon Alta) Access Control Integration

Overview

OpenPath (now Avigilon Alta) is a cloud-based access control platform that enables flexible, secure physical access management without the need for on-premises servers. The Nexudus integration with OpenPath automates credential provisioning and access group assignments based on customer contracts, passes, bookings, and desk assignments.
OpenPath and Avigilon Alta refer to the same platform. The product was rebranded to Avigilon Alta but may still appear as “OpenPath” in some places within Nexudus.

Key Features

  • Cloud-based management: Manage access from anywhere through OpenPath’s web platform
  • Mobile access: Customers can use the Nexudus Passport app with mobile credentials
  • Automatic provisioning: Access is granted and revoked automatically based on plan changes, bookings, and pass assignments
  • Check-in tracking: Optionally use reader events to check customers in/out
  • Multiple card types: Support for MIFARE CSN, DESFire encrypted cards, and custom card formats
  • Group-based permissions: Map your inventory (passes, resources, desks) to OpenPath groups
  • Booking-based temporary access: Automatic access during reservation windows
  • Visitor cloud keys: Generate time-limited access links for visitors and guests
  • Remote unlock: Allow customers to unlock doors remotely through the mobile app
  • Multi-region support: Available in US and EU data centers

Integration Type

Cloud-based — OpenPath operates entirely in the cloud with no on-premises server requirements.

Capabilities

FeatureSupportedNotes
Pass-based access✅ YesCustomers receive access based on their active passes
Plan-based access✅ IndirectPlans grant access through the passes they include
Resource-based access✅ YesGrants temporary access during reservations
Desk/unit-based access✅ YesIncludes support for team billing contracts
Visitor access✅ YesCloud key links with time-limited access
Booking guest access✅ YesCustomers added as booking guests receive access based on booking resource and timing
Check-in tracking✅ YesReader events trigger automatic check-ins
Mobile app access✅ YesNexudus Passport app integration with mobile credentials
Remote door unlock✅ YesCustomers can unlock doors without being physically present
Physical access cards✅ YesMIFARE, DESFire, and custom card formats

How It Works

Access Control Model

OpenPath uses a group-based model to manage access permissions:
  • Users represent individuals in the system (mapped to Nexudus customers)
  • Groups define collections of doors/entries that users can access
  • Entries are individual access points (doors, gates, turnstiles)
  • Credentials are the methods users authenticate with (mobile, cards, cloud keys)
  • Readers are the physical devices that grant access at entries
When a customer’s access needs change in Nexudus (e.g., they purchase a pass, book a resource, or their contract renews), the integration automatically updates their user record in OpenPath with the appropriate group memberships.

Multi-Door Support

OpenPath uses groups to grant permissions to multiple entries. Instead of mapping each entry individually:
  1. In OpenPath, create a group (e.g., “24/7 Access”)
  2. Add the relevant entries to that group in OpenPath
  3. In Nexudus, map your pass/resource/desk to that group by its ID
  4. Customers with that pass automatically get access to all entries in the group
You must configure which entries belong to each group in the OpenPath platform. Nexudus assigns customers to groups, but the entry-to-group mapping is managed in OpenPath.

Credential Types

OpenPath supports multiple credential types:
  1. Mobile credentials: Bluetooth-enabled access through the Nexudus Passport app
  2. Cloud keys: Time-limited web links for temporary access (primarily for visitors)
  3. Physical cards: RFID cards in various formats
    • MIFARE CSN: Simple card serial number (fast, less secure)
    • DESFire: Encrypted card data (secure, recommended)
    • Custom formats: Configurable card formats with facility codes and other fields
Every customer receives a mobile credential automatically. Physical cards are optional and configured via the customer’s Access Card ID field.

Prerequisites

Before connecting Nexudus to OpenPath, ensure you have:
  1. Active OpenPath account with administrator access
  2. API credentials (username and password for API authentication)
  3. Organization ID — The numeric identifier for your OpenPath organization
  4. Region selection — US or EU based on your data center location
  5. OpenPath system configured with readers installed and online
  6. Groups created in OpenPath for different access levels (e.g., 24/7 access, business hours only)
  7. Nexudus location configured with plans, passes, and resources

Configuration

Step 1: Connect to OpenPath

  1. In the Nexudus dashboard, go to Settings > Integrations
  2. Find OpenPath or Avigilon Alta in the list and click Connect
  3. Enter your connection details:
    • Username: Your OpenPath API username
    • Password: Your OpenPath API password
    • Organization ID: The numeric ID of your organization
    • Region: Select US or EU based on your data center
  4. Click Save to establish the connection
Once connected, Nexudus can read your OpenPath groups, entries, readers, and credential types.
The region setting determines which API endpoint is used:
  • US: https://api.openpath.com
  • EU: https://api.eu.openpath.com
Choose the region where your OpenPath account was created.

Step 2: Configure Credential Type

OpenPath supports multiple types of physical access cards. Choose the credential type that matches your hardware.
  1. In the Credential Type section, select your card type:
    • Automatic (recommended): Auto-detects based on card number length
      • 14 digits → DESFire (encrypted, secure)
      • Other lengths → MIFARE CSN (fast, less secure)
    • Specific card type: Choose a specific credential type if you have custom cards
  2. Card Format (optional): If using custom card formats with facility codes or site codes:
    • Select the card format from the dropdown
    • Enter values for required fields (facility code, company code, etc.)
    • These values apply to all cards issued at this location
  3. Click Save
Card type recommendations:
  • DESFire (Encrypted): More secure, slightly slower to read
  • MIFARE CSN: Faster to read, less secure (uses only the card serial number)
  • Automatic: Best for most installations — uses DESFire for 14-digit cards, MIFARE for others
Card formats are typically pre-configured in OpenPath by your installer. Only configure custom fields if you’re using cards with facility codes or site-specific encoding.

Step 3: Configure Presence Tracking (Optional)

OpenPath can trigger automatic check-ins when customers unlock specific readers.
  1. In the Presence Tracking section, you’ll see all readers from your OpenPath system
  2. For each reader, choose an action:
    • Nothing: Reader access is tracked in OpenPath but doesn’t affect Nexudus
    • Check In: Unlocking this reader checks the customer in
    • Check Out: Unlocking this reader checks the customer out
    • Toggle: Unlocking switches between checked in and checked out
Common scenarios:
  • Set the main entrance reader to Check In
  • Set the exit reader to Check Out
  • Set internal readers to Nothing (access granted but doesn’t affect presence)
Check-in tracking requires event processing. Nexudus syncs reader events every 9 minutes and triggers the appropriate check-in action based on your configuration.

Step 4: Map Passes to Groups

Passes are the primary way customers receive access in Nexudus. Each pass can be mapped to an OpenPath group.
  1. In the Passes section, you’ll see all passes configured for this location
  2. For each pass, select the OpenPath Group that customers should be assigned to when they hold that pass
  3. Leave blank if a pass should not grant physical access
How it works:
  • When a customer has an active contract on a plan that includes passes, they automatically receive those passes
  • If the pass is mapped to an OpenPath group, the customer is added to that group
  • When the pass expires or is consumed, access is revoked
  • Time-limited passes (e.g., day passes with validity windows) automatically grant and revoke access at the appropriate times
Example mapping:
Pass NameOpenPath GroupPurpose
24/7 Access Pass24/7 MembersRound-the-clock building access
Business Hours PassBusiness HoursAccess only during operating hours
Meeting Room PassMeeting RoomsAccess to meeting room zones
Plans are not directly mapped to OpenPath groups. Instead:
  1. Plans include passes via the plan configuration
  2. Passes are what get mapped to groups
  3. When a customer starts a contract on a plan, they receive the passes included in that plan
  4. Those passes then grant the associated OpenPath access

Step 5: Map Resources to Groups

Resources (meeting rooms, event spaces, etc.) can require specific access permissions for bookings.
  1. In the Resources section, you’ll see all resources configured for this location
  2. For each resource, select the OpenPath Group required to access that space
  3. Leave blank if resource bookings should not grant physical access
How it works:
  • When a customer books a resource, Nexudus grants them access 15 minutes before the booking starts
  • Access is automatically revoked 15 minutes after the booking ends
  • If the booking is cancelled, access is removed immediately
Example mapping:
Resource NameOpenPath GroupPurpose
Conference Room AConference RoomsAccess to conference room zone
Event SpaceEvent HallAccess to event space for bookings
Private OfficePrivate OfficesAccess to private office area
Resource-based access is temporary and booking-specific. A customer only receives access during their booking window, even if they don’t hold a general access pass.

Step 6: Map Desks/Units to Groups

Floor plan desks and units can grant access to specific areas when included in a customer’s contract.
  1. In the Desks/Units section, you’ll see all desks from your floor plans
  2. For each desk, select the OpenPath Group required to access that area
  3. Leave blank if desk assignments should not grant physical access
How it works:
  • When a desk is added to a customer’s contract, they receive access to the mapped group
  • Access is granted when the contract starts and revoked when it ends
  • Team billing support: If a customer uses team billing (merged billing), they also receive access to desks included in the paying member’s contracts
Example mapping:
Desk/Unit NameOpenPath GroupPurpose
Private Office #101Private Office Floor 1Access to first-floor private office area
Dedicated Desk Zone ADesk Area AAccess to dedicated desk zone A
Studio #5Studio AccessAccess to individual studio unit
Desk access is based on contract assignments, not direct desk bookings. Customers must have the desk included in an active contract to receive access. Ad-hoc desk bookings (if using desk booking) do not automatically grant OpenPath access.

Step 7: Configure Visitor Cloud Keys (Optional)

OpenPath supports generating time-limited access links (cloud keys) for visitors and guests. To enable visitor cloud keys:
  1. In Settings > Integrations > OpenPath, enable the setting:
    • Send a CloudKey link to visitors: Set to Yes/True
  2. Configure CloudKey Guests Entry IDs: Enter the entry IDs that visitors should have access to
    • Format: Comma-separated list of entry IDs (e.g., 123,456,789)
    • Find entry IDs in your OpenPath dashboard under Entries
  3. Click Save
How visitor cloud keys work:
  1. When you register a visitor in Nexudus, a cloud key link is automatically generated
  2. The visitor receives an email with the access link
  3. They can open the link on their mobile device to unlock doors
  4. Access is valid from 15 minutes before their expected arrival until:
    • Next day at midnight (for general visitors)
    • 15 minutes after booking end time (for booking guests)
  5. If the visitor is associated with a booking, they automatically receive access to the booked resource’s entries
Booking integration: If a visitor is added as a guest on a resource booking:
  • The cloud key is automatically scoped to the resource’s access group
  • Access timing matches the booking window (start to end + 15 minutes)
  • No need to manually configure entry IDs for booking-based visitors
Cloud keys are temporary credentials that expire automatically. Visitors don’t need to download an app — they simply open the web link on their mobile device.

Step 8: Save Configuration

  1. Review all mappings to ensure they’re correct
  2. Click Save to apply the configuration
  3. Nexudus will immediately start provisioning access for customers based on the new mappings

How Access is Managed

When Access is Granted

Nexudus automatically grants OpenPath access when:
  1. Contract starts: Customer begins a contract on a plan → receives passes included in that plan → assigned to corresponding OpenPath groups
  2. Pass activated: Customer receives a pass directly (not via a contract) → assigned to the mapped OpenPath group
  3. Booking created: Customer books a resource → granted access to resource’s group 15 minutes before booking start time
  4. Desk added to contract: Desk is added to an active contract → customer receives access to the desk’s mapped group
  5. Booking guest added: Non-customer is added as a guest on a booking → granted cloud key access for the booking duration
  6. Visitor registered: Visitor is registered → receives cloud key link with time-limited access
  7. Check-in active: Customer with a valid pass checks in → maintains access through the check-in period

When Access is Revoked

Nexudus automatically revokes OpenPath access when:
  1. Contract ends or cancelled: Customer loses passes from that contract → removed from corresponding OpenPath groups
  2. Pass expires: Pass validity ends or usage is consumed → removed from mapped OpenPath group
  3. Booking ends or cancelled: Booking time expires or is cancelled → access to resource’s group is removed
  4. Desk removed from contract: Desk is removed from contract → access to desk’s group is revoked
  5. Customer deactivated: Customer account is deactivated → all OpenPath access removed
  6. No access groups remain: If customer has no passes, bookings, or desks → user is deleted from OpenPath

Access Update Timing

  • Immediate updates: Contract changes, pass assignments, and customer deactivations trigger access updates within seconds (5-second debounce)
  • Booking lead time: Booking access is granted 15 minutes before the booking start time
  • Background processing: Access updates are queued in background jobs to handle high volumes efficiently
  • Event processing: Reader events are synced every 9 minutes for check-in tracking
  • Automatic retry: Failed operations retry automatically with exponential backoff (5 retries over 5 minutes)
If a customer should have access but doesn’t, the system automatically retries access provisioning. Check the Business Checkup page for any integration errors.

Mobile App Experience

Customers can use the Nexudus Passport mobile app to unlock doors remotely.

Setup for Customers

  1. Customer downloads the Nexudus Passport app (iOS or Android)
  2. Signs in with their Nexudus credentials
  3. App detects OpenPath integration is active
  4. Customer receives a mobile credential automatically
  5. Customer can view available entries and unlock them remotely

Using Mobile Access

  1. Customer opens the Nexudus Passport app
  2. Navigates to Unlock Doors section
  3. Views list of entries they currently have access to
  4. Taps Unlock to remotely unlock an entry
  5. Can also use Bluetooth proximity unlock if available

Mobile Credential Provisioning

Mobile credentials are issued automatically:
  • Automatic creation: When a customer receives their first access group, a mobile credential is created
  • Manual provisioning (optional): Enable Set Up Mobile Credential in settings to automatically provision the credential for immediate use
  • App-based setup: Customers can also provision credentials through the Nexudus Passport app
Mobile credentials work via Bluetooth and web-based remote unlock. Customers need Bluetooth enabled on their device for proximity-based unlocking.

Physical Card Management

OpenPath supports traditional RFID access cards alongside mobile access. To assign cards:
  1. Go to Operations > Customers
  2. Select the customer
  3. In their profile, enter card IDs in the Access Card ID field
  4. Separate multiple cards with commas: 123456,789012,345678
  5. Save the customer profile
Card behavior:
  • No card: User receives mobile credential only
  • Card assigned: User has both physical card and mobile credential
  • Card removed: Physical credential is deleted, mobile credential remains
Card type detection (Automatic mode):
  • 14-digit cards: Created as DESFire (encrypted)
  • Other lengths: Created as MIFARE CSN
  • Specific type selected: Uses the configured credential type
OpenPath uses the card number directly without additional encoding. If you need facility codes or site codes, select a custom card format and configure the additional fields.

Visitor Access

Generating Visitor Cloud Keys

OpenPath provides time-limited access links for visitors: Automatic generation:
  1. Register a visitor in Operations > Visitors
  2. Enter their email address and expected arrival time
  3. Nexudus automatically generates a cloud key link
  4. The visitor receives the link via email
Manual generation:
  1. Open an existing visitor record
  2. Click Generate Access Link (if available)
  3. Copy the link and send it to the visitor

Cloud Key Access Scope

For general visitors:
  • Access to entries specified in Visitor Entry IDs setting
  • Valid from 15 minutes before expected arrival
  • Expires at midnight the following day (in location’s timezone)
For booking guests:
  • Access to all entries in the booked resource’s access group
  • Valid from 15 minutes before booking start
  • Expires 15 minutes after booking end
  • Overrides general visitor entry IDs
Access link usage:
  1. Visitor opens the link on their mobile device
  2. Link opens the OpenPath web interface
  3. Visitor can unlock assigned entries
  4. Access expires automatically at the configured time
Visitors don’t need to create an account or download an app. The cloud key link provides temporary access through their mobile browser.

Managing Visitor Access

To revoke visitor access:
  1. Go to Operations > Visitors
  2. Select the visitor
  3. Click Revoke Access or delete the visitor record
  4. The cloud key is immediately invalidated
Access is automatically revoked when:
  • The visitor’s expected departure time passes
  • The associated booking ends (for booking guests)
  • The visitor record is deleted
  • The visitor checks out

Remote Door Unlock

Customers can unlock doors remotely through the Nexudus Passport app without being physically present.

Enabling Remote Unlock

  1. In Settings > Integrations > OpenPath, enable:
    • Has Remote Unlock: Set to Yes/True
  2. This setting allows customers to unlock doors from anywhere, not just via proximity

How Remote Unlock Works

  1. Customer opens Nexudus Passport app
  2. Selects the entry to unlock
  3. Taps Unlock
  4. Nexudus sends the unlock command to OpenPath
  5. Door unlocks immediately (subject to OpenPath’s configured unlock duration)
Remote unlock allows customers to unlock doors without being physically present. Only enable this feature if your security policy allows remote access.

Troubleshooting

Possible causes:
  1. Pass not mapped: The passes included in the customer’s plan are not mapped to any OpenPath groups
    • Solution: Go to Settings > Integrations > OpenPath and map the relevant passes to groups
  2. Pass expired or inactive: The customer’s pass has expired or hasn’t started yet
    • Solution: Check the customer’s passes under their profile to verify validity windows
  3. User not created: The customer wasn’t created in OpenPath
    • Solution: Check the Business Checkup page for integration errors, or manually trigger an update by editing and saving the customer’s profile
  4. Group permissions: The OpenPath group exists but isn’t assigned to any entries
    • Solution: In OpenPath, verify the group includes the correct entries
  5. No credentials: Customer doesn’t have a mobile credential or physical card
    • Solution: Check the customer’s OpenPath user record to verify credentials were created
  6. Credential not provisioned: Mobile credential exists but isn’t provisioned
    • Solution: Enable “Set Up Mobile Credential” in settings, or have the customer provision through the app
Possible causes:
  1. Resource not mapped: The booked resource is not mapped to an OpenPath group
    • Solution: Map the resource to a group in Settings > Integrations > OpenPath
  2. Booking too far in future: Access is only granted 15 minutes before booking start time
    • Solution: Wait until booking is within 15 minutes of start time
  3. Booking not confirmed: Some resources require booking confirmation
    • Solution: Confirm the booking if it’s in pending state
  4. Group has no entries: The mapped group exists but doesn’t contain any entries
    • Solution: In OpenPath, add entries to the group
Possible causes:
  1. No active access: Customer doesn’t have any passes or bookings that grant access
    • Solution: Verify customer has an active pass or upcoming booking mapped to OpenPath groups
  2. Credential not provisioned: Mobile credential exists but not provisioned
    • Solution: Enable “Set Up Mobile Credential” setting, or have customer tap “Provision” in the app
  3. App not refreshed: Entry list hasn’t updated after access was granted
    • Solution: Customer should pull down to refresh the entry list in the app
  4. Wrong region: App is connecting to wrong OpenPath region
    • Solution: Verify the region setting matches your OpenPath account (US or EU)
Possible causes:
  1. Reader action not configured: Reader is set to “Nothing” instead of a check-in action
    • Solution: Configure the reader action in Settings > Integrations > OpenPath
  2. Event processing disabled: Events aren’t being synced
    • Solution: Check that the OpenPath integration is enabled and credentials are valid
  3. Sync delay: Background task runs every 9 minutes
    • Solution: Wait up to 9 minutes for the next event sync cycle
  4. No external ID: User in OpenPath doesn’t have an external ID linking to Nexudus
    • Solution: Delete and recreate the user by updating the customer’s access
Possible causes:
  1. Card number incorrect: Card ID entered doesn’t match the actual card
    • Solution: Verify card number by reading it with an enrollment reader
  2. Wrong card type: Using DESFire card with MIFARE setting or vice versa
    • Solution: Set credential type to “Automatic” or select the correct card type
  3. Card format mismatch: Using cards that require facility codes but format not configured
    • Solution: Select the appropriate card format and configure required fields
  4. Credential not created: Card number saved but credential not created in OpenPath
    • Solution: Check Business Checkup for errors, or remove and re-add the card number
Possible causes:
  1. Feature not enabled: Send a CloudKey link to visitors setting is disabled
    • Solution: Enable “Send a CloudKey link to visitors” in Settings > Integrations > OpenPath
  2. No entry IDs configured: CloudKey Guests Entry IDs setting is empty
    • Solution: Configure entry IDs in the settings (unless using booking-based access)
  3. Invalid entry IDs: Entry IDs don’t exist in OpenPath
    • Solution: Verify entry IDs in OpenPath dashboard and update the setting
  4. Visitor has no email: Visitor record doesn’t have an email address
    • Solution: Add email address to the visitor record
Cause: Your OpenPath API credentials have expired or are incorrect.Solution:
  1. Verify your username and password in the OpenPath admin portal
  2. Reconnect the integration with updated credentials
  3. Ensure your OpenPath account has API access enabled
  4. Verify the correct region is selected (US or EU)
  5. Check that your organization ID is correct
  6. Contact OpenPath support if credentials are correct but connection fails
Cause: Nexudus optimizes API calls by checking if access has actually changed before updating OpenPath.This is normal behavior when:
  • Customer already has access to the same groups
  • A pass is added but the customer already has another pass with the same access
  • An update is triggered but no access groups have changed
Solution:
  • No action needed — this is an optimization to reduce API calls
  • If access should have changed but didn’t, check the pass/resource/desk mappings
  • Review the customer’s current access groups in OpenPath

Monitoring Integration Errors

Nexudus monitors your access control integration and alerts you to any issues that need attention.

Business Checkup Dashboard

Access control integration errors are displayed on the Business Checkup page:
  1. Go to Home > Important Items in the dashboard, or
  2. Navigate directly to dashboard.nexudus.com/dashboards/checkup
  3. Look for the Access Control Integration tile
  4. If there are errors, the tile will be displayed in red

What Gets Flagged

  • Authentication failures: Expired credentials or invalid API tokens
  • Provisioning errors: Failed attempts to create or update customer access
  • Configuration issues: Invalid group IDs or missing entries
  • Synchronization problems: Delays or failures in updating access permissions
  • Credential creation failures: Unable to issue mobile credentials or cards
Each error includes:
  • The customer affected
  • The nature of the problem
  • When the error occurred
  • Error message from OpenPath
  • Suggested actions to resolve it
Nexudus automatically retries failed operations (5 attempts over 5 minutes). If errors persist, check the Business Checkup page for detailed information and follow the suggested resolution steps.

Security Considerations

Data Shared with OpenPath

When provisioning access, Nexudus shares the following information with OpenPath:
  • Customer data: First name, last name, email address
  • External ID: Nexudus customer ID (used to link records between systems)
  • RFID cards: Card IDs from the Access Card ID field
  • Access groups: Group IDs the customer should be assigned to
Nexudus does not share:
  • Billing information
  • Payment details
  • Contract specifics (only group assignments)
  • Personal notes or custom fields
  • Other customers’ information

Credential Security

  • Mobile credentials: Managed entirely by OpenPath; Nexudus only creates the credential record
  • Cloud keys: Time-limited and automatically expire; can be revoked immediately
  • Physical cards: Card numbers stored in Nexudus; OpenPath encrypts card data
  • Remote unlock: Requires valid authentication to Nexudus Passport app
  • User passwords: Never shared with Nexudus; authentication to OpenPath is handled by OpenPath

Access Logging

All access events are logged in OpenPath:
  • Who accessed which entry
  • When the access occurred
  • Which credential was used (mobile, card, cloud key)
  • Whether access was granted or denied
These logs are available in the OpenPath dashboard for audit purposes.

Best Practices

Group Organization

Create groups based on access levels, not products or plans:
  • Good: “24/7 Access”, “Business Hours”, “Meeting Rooms”, “Private Offices”
  • Avoid: “Hot Desk Plan”, “Dedicated Desk Plan” (these are billing products, not access types)
This approach lets you grant the same physical access through multiple plans.

Credential Strategy

For members:
  • Issue mobile credentials to all customers (automatic)
  • Only issue physical cards when needed (reduces cost and management overhead)
  • Use DESFire cards for higher security environments
  • Use MIFARE CSN for faster access in low-security areas
For visitors:
  • Use cloud keys instead of physical credentials
  • Set appropriate expiration times based on visit duration
  • For recurring visitors, consider converting them to temporary members

Entry Organization in OpenPath

  • Group entries by access level (not by physical location)
  • Create separate groups for different time restrictions (24/7 vs business hours)
  • Use descriptive group names that indicate the access level
  • Document which entries belong to which groups

Check-in Configuration

  • Only enable check-in tracking on primary entrance readers
  • Set exit readers to “Check Out” to automatically track departures
  • Set interior readers to “Nothing” to avoid redundant check-ins
  • Consider using “Toggle” for single-entry/exit locations

Technical Details

API Architecture

  • Base URL (US): https://api.openpath.com
  • Base URL (EU): https://api.eu.openpath.com
  • Authentication: Basic Auth (username/password)
  • Token management: Session-based with automatic token refresh
  • Rate limiting: 30 requests per minute per username (enforced via semaphore across servers)

Key Endpoints

  • Users: /orgs/{orgId}/users (GET, POST, PUT, DELETE)
  • Groups: /orgs/{orgId}/groups
  • User Groups: /users/{userId}/groups (PUT to update group assignments)
  • Credentials: /users/{userId}/credentials (GET, POST, DELETE)
  • Credential Types: /credentialTypes
  • Card Formats: /cardFormats
  • Readers: /orgs/{orgId}/readers
  • Entries: /groups/{groupId}/entries
  • Activity Report: /orgs/{orgId}/activity (access events)
  • Mobile Setup Token: /users/{userId}/credentials/{credentialId}/mobile/provisioningQrcode
  • Cloud Key Token: /users/{userId}/credentials/{credentialId}/cloudKey/accessToken
  • Remote Unlock: POST with entry ID and unlock command

Synchronization

  • Access updates: Debounced by 5 seconds per customer to batch rapid changes
  • Background task: Polls reader events every 9 minutes for check-in tracking
  • Event query: Queries activity report for successful access events
  • Distributed locking: Prevents race conditions in multi-server deployments
  • User provisioning: Lazy creation on first group assignment
  • User deletion: Automatic when no groups remain
  • Access signature hashing: Prevents unnecessary API calls when access hasn’t changed

External IDs

  • Customers: ExternalID set to Nexudus customer ID (integer)
  • Lookup: Users retrieved via email first, then verified by external ID
  • Uniqueness: One OpenPath user per customer email address

User Model

{
  "id": 12345,
  "externalId": "67890",
  "status": "active",
  "hasRemoteUnlock": true,
  "identity": {
    "firstName": "John",
    "lastName": "Doe",
    "email": "john@example.com"
  },
  "groups": [1, 2, 3]
}

Credential Types

Type IDNameModel NameUse Case
1MobilemobileBluetooth mobile access
4MIFARE CSNcardMifareCsnSimple RFID cards
5DESFirecardOpenpathDesfireEv1Encrypted RFID cards
6Cloud KeycloudKeyTime-limited visitor access
CustomVariescardCustom card formats

Card Format Fields

Custom card formats may include:
  • cardId (required): The card number
  • facilityCode: Facility/site identifier
  • companyCode: Company identifier
  • issueLevel: Card issue level
  • siteCode: Site code
  • oem, rcm: Manufacturer codes

Business Settings Reference

SettingPurpose
OpenPath.EnabledIntegration enabled flag (“true”/“false”)
OpenPath.UsernameOpenPath API username
OpenPath.PasswordOpenPath API password
OpenPath.OrganisationIdOrganization ID for API calls
OpenPath.RegionAPI region (“US” or “EU”)
OpenPath.CardTypeDefault credential type ID (0 = automatic)
OpenPath.CardFormatIdCard format ID for custom cards
OpenPath.CardFormat.{field}Custom card format field values
OpenPath.HasRemoteUnlockEnable remote unlock (“true”/“false”)
OpenPath.SetUpMobileCredentialAuto-provision mobile credentials (“true”/“false”)
OpenPath.CreateVisitorCloudKeysEnable visitor cloud keys (“true”/“false”)
OpenPath.VisitorEntryIdsComma-separated entry IDs for visitors
OpenPath.Controller.Id_{readerId}.ActionCheck-in action per reader (Nothing/CheckIn/CheckOut/Toggle)

Contract-Based Desk Access

  • Desk access determined by active contracts: coworker.ActiveContracts().SelectMany(x => x.Desks)
  • Team billing support: Customer receives access to desks in paying member’s contracts
  • Desk mapping: Each desk mapped to a single group ID

Access Update Logic

  1. Passes: Active passes from contracts + shared passes from paying member
  2. Check-ins: Passes from open check-ins (maintains access during session)
  3. Bookings: Resources with bookings starting within 15 minutes
  4. Booking guests: Resources from bookings where customer is a visitor
  5. Desks: Desks from active contracts (own + team billing)
  6. Group aggregation: Unique list of all group IDs from above sources
  7. Signature check: Compare new group list to stored access signature
  8. Skip if unchanged: If signature matches, skip API call (optimization)
  9. User provisioning: Create user if doesn’t exist and has groups
  10. Group update: Update user’s group assignments via PUT to /users/{id}/groups
  11. Credential management: Create mobile credential, physical cards based on Access Card ID
  12. User deletion: If no groups remain, delete all credentials and user

Credential Management Logic

Mobile credentials:
  • Created with credential type ID 1
  • Name set to location name
  • Provisioned automatically if SetUpMobileCredential is enabled
  • One mobile credential per user
Physical cards:
  • Created based on Access Card ID field (comma-separated)
  • Auto-detection: 14 digits = DESFire, others = MIFARE CSN
  • Multiple cards supported (split by comma)
  • All existing card credentials deleted before creating new ones
  • Custom card formats supported with additional fields
Cloud keys (visitors):
  • Created with credential type ID 6
  • Name format: “Visitor #
  • Time-limited access tokens generated with entry scope
  • Booking integration: inherits entries from resource’s group
  • Validity: expected arrival -15 min to departure +15 min (or next day midnight)

Event Processing

  • Task schedule: Recurring job every 9 minutes
  • Event query: Activity report from lastEventDate to now
  • Event filtering: Only “Granted” results processed
  • User lookup: Match by user ID in OpenPath, verify via external ID
  • Check-in trigger: Based on reader’s configured action
  • Timestamp conversion: Unix timestamp to DateTime
  • Invalid check-in notification: System message sent to access control notification users

Error Handling

  • Authentication failures: Disable integration and log error
  • Provisioning errors: Automatic retry with 5 attempts
  • Business Checkup: Integration errors displayed on dashboard
  • Distributed locks: Prevent concurrent updates to same customer
  • Exception logging: Full stack trace logged for troubleshooting
  • Event raising: OnExceptionHandler<AccessControlEventData> for monitoring

Card Number Detection

if (cardNumber.Length == 14)
    credentialType = DESFire;  // Encrypted
else
    credentialType = MIFAREC SN;  // Fast

Access Signature Hash

var signature = string.Join(",", groups.OrderBy(x => x));
coworker.SetAccessSignatureForProvider(eAccessSignatureProviderType.OpenPath, signature);
This prevents API calls when group membership hasn’t actually changed.