OpenPath (Avigilon Alta) Access Control Integration
Overview
OpenPath (now Avigilon Alta) is a cloud-based access control platform that enables flexible, secure physical access management without the need for on-premises servers. The Nexudus integration with OpenPath automates credential provisioning and access group assignments based on customer contracts, passes, bookings, and desk assignments.OpenPath and Avigilon Alta refer to the same platform. The product was rebranded to Avigilon Alta but may still appear as “OpenPath” in some places within Nexudus.
Key Features
- Cloud-based management: Manage access from anywhere through OpenPath’s web platform
- Mobile access: Customers can use the Nexudus Passport app with mobile credentials
- Automatic provisioning: Access is granted and revoked automatically based on plan changes, bookings, and pass assignments
- Check-in tracking: Optionally use reader events to check customers in/out
- Multiple card types: Support for MIFARE CSN, DESFire encrypted cards, and custom card formats
- Group-based permissions: Map your inventory (passes, resources, desks) to OpenPath groups
- Booking-based temporary access: Automatic access during reservation windows
- Visitor cloud keys: Generate time-limited access links for visitors and guests
- Remote unlock: Allow customers to unlock doors remotely through the mobile app
- Multi-region support: Available in US and EU data centers
Integration Type
Cloud-based — OpenPath operates entirely in the cloud with no on-premises server requirements.Capabilities
| Feature | Supported | Notes |
|---|---|---|
| Pass-based access | ✅ Yes | Customers receive access based on their active passes |
| Plan-based access | ✅ Indirect | Plans grant access through the passes they include |
| Resource-based access | ✅ Yes | Grants temporary access during reservations |
| Desk/unit-based access | ✅ Yes | Includes support for team billing contracts |
| Visitor access | ✅ Yes | Cloud key links with time-limited access |
| Booking guest access | ✅ Yes | Customers added as booking guests receive access based on booking resource and timing |
| Check-in tracking | ✅ Yes | Reader events trigger automatic check-ins |
| Mobile app access | ✅ Yes | Nexudus Passport app integration with mobile credentials |
| Remote door unlock | ✅ Yes | Customers can unlock doors without being physically present |
| Physical access cards | ✅ Yes | MIFARE, DESFire, and custom card formats |
How It Works
Access Control Model
OpenPath uses a group-based model to manage access permissions:- Users represent individuals in the system (mapped to Nexudus customers)
- Groups define collections of doors/entries that users can access
- Entries are individual access points (doors, gates, turnstiles)
- Credentials are the methods users authenticate with (mobile, cards, cloud keys)
- Readers are the physical devices that grant access at entries
Multi-Door Support
OpenPath uses groups to grant permissions to multiple entries. Instead of mapping each entry individually:- In OpenPath, create a group (e.g., “24/7 Access”)
- Add the relevant entries to that group in OpenPath
- In Nexudus, map your pass/resource/desk to that group by its ID
- Customers with that pass automatically get access to all entries in the group
You must configure which entries belong to each group in the OpenPath platform. Nexudus assigns customers to groups, but the entry-to-group mapping is managed in OpenPath.
Credential Types
OpenPath supports multiple credential types:- Mobile credentials: Bluetooth-enabled access through the Nexudus Passport app
- Cloud keys: Time-limited web links for temporary access (primarily for visitors)
- Physical cards: RFID cards in various formats
- MIFARE CSN: Simple card serial number (fast, less secure)
- DESFire: Encrypted card data (secure, recommended)
- Custom formats: Configurable card formats with facility codes and other fields
Prerequisites
Before connecting Nexudus to OpenPath, ensure you have:- Active OpenPath account with administrator access
- API credentials (username and password for API authentication)
- Organization ID — The numeric identifier for your OpenPath organization
- Region selection — US or EU based on your data center location
- OpenPath system configured with readers installed and online
- Groups created in OpenPath for different access levels (e.g., 24/7 access, business hours only)
- Nexudus location configured with plans, passes, and resources
Configuration
Step 1: Connect to OpenPath
- In the Nexudus dashboard, go to Settings > Integrations
- Find OpenPath or Avigilon Alta in the list and click Connect
- Enter your connection details:
- Username: Your OpenPath API username
- Password: Your OpenPath API password
- Organization ID: The numeric ID of your organization
- Region: Select US or EU based on your data center
- Click Save to establish the connection
The region setting determines which API endpoint is used:
- US:
https://api.openpath.com - EU:
https://api.eu.openpath.com
Step 2: Configure Credential Type
OpenPath supports multiple types of physical access cards. Choose the credential type that matches your hardware.- In the Credential Type section, select your card type:
- Automatic (recommended): Auto-detects based on card number length
- 14 digits → DESFire (encrypted, secure)
- Other lengths → MIFARE CSN (fast, less secure)
- Specific card type: Choose a specific credential type if you have custom cards
- Automatic (recommended): Auto-detects based on card number length
- Card Format (optional): If using custom card formats with facility codes or site codes:
- Select the card format from the dropdown
- Enter values for required fields (facility code, company code, etc.)
- These values apply to all cards issued at this location
- Click Save
- DESFire (Encrypted): More secure, slightly slower to read
- MIFARE CSN: Faster to read, less secure (uses only the card serial number)
- Automatic: Best for most installations — uses DESFire for 14-digit cards, MIFARE for others
Card formats are typically pre-configured in OpenPath by your installer. Only configure custom fields if you’re using cards with facility codes or site-specific encoding.
Step 3: Configure Presence Tracking (Optional)
OpenPath can trigger automatic check-ins when customers unlock specific readers.- In the Presence Tracking section, you’ll see all readers from your OpenPath system
- For each reader, choose an action:
- Nothing: Reader access is tracked in OpenPath but doesn’t affect Nexudus
- Check In: Unlocking this reader checks the customer in
- Check Out: Unlocking this reader checks the customer out
- Toggle: Unlocking switches between checked in and checked out
- Set the main entrance reader to Check In
- Set the exit reader to Check Out
- Set internal readers to Nothing (access granted but doesn’t affect presence)
Check-in tracking requires event processing. Nexudus syncs reader events every 9 minutes and triggers the appropriate check-in action based on your configuration.
Step 4: Map Passes to Groups
Passes are the primary way customers receive access in Nexudus. Each pass can be mapped to an OpenPath group.- In the Passes section, you’ll see all passes configured for this location
- For each pass, select the OpenPath Group that customers should be assigned to when they hold that pass
- Leave blank if a pass should not grant physical access
- When a customer has an active contract on a plan that includes passes, they automatically receive those passes
- If the pass is mapped to an OpenPath group, the customer is added to that group
- When the pass expires or is consumed, access is revoked
- Time-limited passes (e.g., day passes with validity windows) automatically grant and revoke access at the appropriate times
| Pass Name | OpenPath Group | Purpose |
|---|---|---|
| 24/7 Access Pass | 24/7 Members | Round-the-clock building access |
| Business Hours Pass | Business Hours | Access only during operating hours |
| Meeting Room Pass | Meeting Rooms | Access to meeting room zones |
Step 5: Map Resources to Groups
Resources (meeting rooms, event spaces, etc.) can require specific access permissions for bookings.- In the Resources section, you’ll see all resources configured for this location
- For each resource, select the OpenPath Group required to access that space
- Leave blank if resource bookings should not grant physical access
- When a customer books a resource, Nexudus grants them access 15 minutes before the booking starts
- Access is automatically revoked 15 minutes after the booking ends
- If the booking is cancelled, access is removed immediately
| Resource Name | OpenPath Group | Purpose |
|---|---|---|
| Conference Room A | Conference Rooms | Access to conference room zone |
| Event Space | Event Hall | Access to event space for bookings |
| Private Office | Private Offices | Access to private office area |
Resource-based access is temporary and booking-specific. A customer only receives access during their booking window, even if they don’t hold a general access pass.
Step 6: Map Desks/Units to Groups
Floor plan desks and units can grant access to specific areas when included in a customer’s contract.- In the Desks/Units section, you’ll see all desks from your floor plans
- For each desk, select the OpenPath Group required to access that area
- Leave blank if desk assignments should not grant physical access
- When a desk is added to a customer’s contract, they receive access to the mapped group
- Access is granted when the contract starts and revoked when it ends
- Team billing support: If a customer uses team billing (merged billing), they also receive access to desks included in the paying member’s contracts
| Desk/Unit Name | OpenPath Group | Purpose |
|---|---|---|
| Private Office #101 | Private Office Floor 1 | Access to first-floor private office area |
| Dedicated Desk Zone A | Desk Area A | Access to dedicated desk zone A |
| Studio #5 | Studio Access | Access to individual studio unit |
Step 7: Configure Visitor Cloud Keys (Optional)
OpenPath supports generating time-limited access links (cloud keys) for visitors and guests. To enable visitor cloud keys:- In Settings > Integrations > OpenPath, enable the setting:
- Send a CloudKey link to visitors: Set to Yes/True
- Configure CloudKey Guests Entry IDs: Enter the entry IDs that visitors should have access to
- Format: Comma-separated list of entry IDs (e.g.,
123,456,789) - Find entry IDs in your OpenPath dashboard under Entries
- Format: Comma-separated list of entry IDs (e.g.,
- Click Save
- When you register a visitor in Nexudus, a cloud key link is automatically generated
- The visitor receives an email with the access link
- They can open the link on their mobile device to unlock doors
- Access is valid from 15 minutes before their expected arrival until:
- Next day at midnight (for general visitors)
- 15 minutes after booking end time (for booking guests)
- If the visitor is associated with a booking, they automatically receive access to the booked resource’s entries
- The cloud key is automatically scoped to the resource’s access group
- Access timing matches the booking window (start to end + 15 minutes)
- No need to manually configure entry IDs for booking-based visitors
Cloud keys are temporary credentials that expire automatically. Visitors don’t need to download an app — they simply open the web link on their mobile device.
Step 8: Save Configuration
- Review all mappings to ensure they’re correct
- Click Save to apply the configuration
- Nexudus will immediately start provisioning access for customers based on the new mappings
How Access is Managed
When Access is Granted
Nexudus automatically grants OpenPath access when:- Contract starts: Customer begins a contract on a plan → receives passes included in that plan → assigned to corresponding OpenPath groups
- Pass activated: Customer receives a pass directly (not via a contract) → assigned to the mapped OpenPath group
- Booking created: Customer books a resource → granted access to resource’s group 15 minutes before booking start time
- Desk added to contract: Desk is added to an active contract → customer receives access to the desk’s mapped group
- Booking guest added: Non-customer is added as a guest on a booking → granted cloud key access for the booking duration
- Visitor registered: Visitor is registered → receives cloud key link with time-limited access
- Check-in active: Customer with a valid pass checks in → maintains access through the check-in period
When Access is Revoked
Nexudus automatically revokes OpenPath access when:- Contract ends or cancelled: Customer loses passes from that contract → removed from corresponding OpenPath groups
- Pass expires: Pass validity ends or usage is consumed → removed from mapped OpenPath group
- Booking ends or cancelled: Booking time expires or is cancelled → access to resource’s group is removed
- Desk removed from contract: Desk is removed from contract → access to desk’s group is revoked
- Customer deactivated: Customer account is deactivated → all OpenPath access removed
- No access groups remain: If customer has no passes, bookings, or desks → user is deleted from OpenPath
Access Update Timing
- Immediate updates: Contract changes, pass assignments, and customer deactivations trigger access updates within seconds (5-second debounce)
- Booking lead time: Booking access is granted 15 minutes before the booking start time
- Background processing: Access updates are queued in background jobs to handle high volumes efficiently
- Event processing: Reader events are synced every 9 minutes for check-in tracking
- Automatic retry: Failed operations retry automatically with exponential backoff (5 retries over 5 minutes)
If a customer should have access but doesn’t, the system automatically retries access provisioning. Check the Business Checkup page for any integration errors.
Mobile App Experience
Customers can use the Nexudus Passport mobile app to unlock doors remotely.Setup for Customers
- Customer downloads the Nexudus Passport app (iOS or Android)
- Signs in with their Nexudus credentials
- App detects OpenPath integration is active
- Customer receives a mobile credential automatically
- Customer can view available entries and unlock them remotely
Using Mobile Access
- Customer opens the Nexudus Passport app
- Navigates to Unlock Doors section
- Views list of entries they currently have access to
- Taps Unlock to remotely unlock an entry
- Can also use Bluetooth proximity unlock if available
Mobile Credential Provisioning
Mobile credentials are issued automatically:- Automatic creation: When a customer receives their first access group, a mobile credential is created
- Manual provisioning (optional): Enable Set Up Mobile Credential in settings to automatically provision the credential for immediate use
- App-based setup: Customers can also provision credentials through the Nexudus Passport app
Mobile credentials work via Bluetooth and web-based remote unlock. Customers need Bluetooth enabled on their device for proximity-based unlocking.
Physical Card Management
OpenPath supports traditional RFID access cards alongside mobile access. To assign cards:- Go to Operations > Customers
- Select the customer
- In their profile, enter card IDs in the Access Card ID field
- Separate multiple cards with commas:
123456,789012,345678 - Save the customer profile
- No card: User receives mobile credential only
- Card assigned: User has both physical card and mobile credential
- Card removed: Physical credential is deleted, mobile credential remains
- 14-digit cards: Created as DESFire (encrypted)
- Other lengths: Created as MIFARE CSN
- Specific type selected: Uses the configured credential type
OpenPath uses the card number directly without additional encoding. If you need facility codes or site codes, select a custom card format and configure the additional fields.
Visitor Access
Generating Visitor Cloud Keys
OpenPath provides time-limited access links for visitors: Automatic generation:- Register a visitor in Operations > Visitors
- Enter their email address and expected arrival time
- Nexudus automatically generates a cloud key link
- The visitor receives the link via email
- Open an existing visitor record
- Click Generate Access Link (if available)
- Copy the link and send it to the visitor
Cloud Key Access Scope
For general visitors:- Access to entries specified in Visitor Entry IDs setting
- Valid from 15 minutes before expected arrival
- Expires at midnight the following day (in location’s timezone)
- Access to all entries in the booked resource’s access group
- Valid from 15 minutes before booking start
- Expires 15 minutes after booking end
- Overrides general visitor entry IDs
- Visitor opens the link on their mobile device
- Link opens the OpenPath web interface
- Visitor can unlock assigned entries
- Access expires automatically at the configured time
Visitors don’t need to create an account or download an app. The cloud key link provides temporary access through their mobile browser.
Managing Visitor Access
To revoke visitor access:- Go to Operations > Visitors
- Select the visitor
- Click Revoke Access or delete the visitor record
- The cloud key is immediately invalidated
- The visitor’s expected departure time passes
- The associated booking ends (for booking guests)
- The visitor record is deleted
- The visitor checks out
Remote Door Unlock
Customers can unlock doors remotely through the Nexudus Passport app without being physically present.Enabling Remote Unlock
- In Settings > Integrations > OpenPath, enable:
- Has Remote Unlock: Set to Yes/True
- This setting allows customers to unlock doors from anywhere, not just via proximity
How Remote Unlock Works
- Customer opens Nexudus Passport app
- Selects the entry to unlock
- Taps Unlock
- Nexudus sends the unlock command to OpenPath
- Door unlocks immediately (subject to OpenPath’s configured unlock duration)
Troubleshooting
Customer has an active contract but can't access entries
Customer has an active contract but can't access entries
Possible causes:
-
Pass not mapped: The passes included in the customer’s plan are not mapped to any OpenPath groups
- Solution: Go to Settings > Integrations > OpenPath and map the relevant passes to groups
-
Pass expired or inactive: The customer’s pass has expired or hasn’t started yet
- Solution: Check the customer’s passes under their profile to verify validity windows
-
User not created: The customer wasn’t created in OpenPath
- Solution: Check the Business Checkup page for integration errors, or manually trigger an update by editing and saving the customer’s profile
-
Group permissions: The OpenPath group exists but isn’t assigned to any entries
- Solution: In OpenPath, verify the group includes the correct entries
-
No credentials: Customer doesn’t have a mobile credential or physical card
- Solution: Check the customer’s OpenPath user record to verify credentials were created
-
Credential not provisioned: Mobile credential exists but isn’t provisioned
- Solution: Enable “Set Up Mobile Credential” in settings, or have the customer provision through the app
Booking access not working
Booking access not working
Possible causes:
-
Resource not mapped: The booked resource is not mapped to an OpenPath group
- Solution: Map the resource to a group in Settings > Integrations > OpenPath
-
Booking too far in future: Access is only granted 15 minutes before booking start time
- Solution: Wait until booking is within 15 minutes of start time
-
Booking not confirmed: Some resources require booking confirmation
- Solution: Confirm the booking if it’s in pending state
-
Group has no entries: The mapped group exists but doesn’t contain any entries
- Solution: In OpenPath, add entries to the group
Mobile app showing no entries available
Mobile app showing no entries available
Possible causes:
-
No active access: Customer doesn’t have any passes or bookings that grant access
- Solution: Verify customer has an active pass or upcoming booking mapped to OpenPath groups
-
Credential not provisioned: Mobile credential exists but not provisioned
- Solution: Enable “Set Up Mobile Credential” setting, or have customer tap “Provision” in the app
-
App not refreshed: Entry list hasn’t updated after access was granted
- Solution: Customer should pull down to refresh the entry list in the app
-
Wrong region: App is connecting to wrong OpenPath region
- Solution: Verify the region setting matches your OpenPath account (US or EU)
Check-ins not created from reader events
Check-ins not created from reader events
Possible causes:
-
Reader action not configured: Reader is set to “Nothing” instead of a check-in action
- Solution: Configure the reader action in Settings > Integrations > OpenPath
-
Event processing disabled: Events aren’t being synced
- Solution: Check that the OpenPath integration is enabled and credentials are valid
-
Sync delay: Background task runs every 9 minutes
- Solution: Wait up to 9 minutes for the next event sync cycle
-
No external ID: User in OpenPath doesn’t have an external ID linking to Nexudus
- Solution: Delete and recreate the user by updating the customer’s access
Physical cards not working
Physical cards not working
Possible causes:
-
Card number incorrect: Card ID entered doesn’t match the actual card
- Solution: Verify card number by reading it with an enrollment reader
-
Wrong card type: Using DESFire card with MIFARE setting or vice versa
- Solution: Set credential type to “Automatic” or select the correct card type
-
Card format mismatch: Using cards that require facility codes but format not configured
- Solution: Select the appropriate card format and configure required fields
-
Credential not created: Card number saved but credential not created in OpenPath
- Solution: Check Business Checkup for errors, or remove and re-add the card number
Visitor cloud keys not generating
Visitor cloud keys not generating
Possible causes:
-
Feature not enabled: Send a CloudKey link to visitors setting is disabled
- Solution: Enable “Send a CloudKey link to visitors” in Settings > Integrations > OpenPath
-
No entry IDs configured: CloudKey Guests Entry IDs setting is empty
- Solution: Configure entry IDs in the settings (unless using booking-based access)
-
Invalid entry IDs: Entry IDs don’t exist in OpenPath
- Solution: Verify entry IDs in OpenPath dashboard and update the setting
-
Visitor has no email: Visitor record doesn’t have an email address
- Solution: Add email address to the visitor record
Integration connection failing
Integration connection failing
Cause: Your OpenPath API credentials have expired or are incorrect.Solution:
- Verify your username and password in the OpenPath admin portal
- Reconnect the integration with updated credentials
- Ensure your OpenPath account has API access enabled
- Verify the correct region is selected (US or EU)
- Check that your organization ID is correct
- Contact OpenPath support if credentials are correct but connection fails
Access signature unchanged - no update triggered
Access signature unchanged - no update triggered
Cause: Nexudus optimizes API calls by checking if access has actually changed before updating OpenPath.This is normal behavior when:
- Customer already has access to the same groups
- A pass is added but the customer already has another pass with the same access
- An update is triggered but no access groups have changed
- No action needed — this is an optimization to reduce API calls
- If access should have changed but didn’t, check the pass/resource/desk mappings
- Review the customer’s current access groups in OpenPath
Monitoring Integration Errors
Nexudus monitors your access control integration and alerts you to any issues that need attention.Business Checkup Dashboard
Access control integration errors are displayed on the Business Checkup page:- Go to Home > Important Items in the dashboard, or
- Navigate directly to dashboard.nexudus.com/dashboards/checkup
- Look for the Access Control Integration tile
- If there are errors, the tile will be displayed in red
What Gets Flagged
- Authentication failures: Expired credentials or invalid API tokens
- Provisioning errors: Failed attempts to create or update customer access
- Configuration issues: Invalid group IDs or missing entries
- Synchronization problems: Delays or failures in updating access permissions
- Credential creation failures: Unable to issue mobile credentials or cards
- The customer affected
- The nature of the problem
- When the error occurred
- Error message from OpenPath
- Suggested actions to resolve it
Nexudus automatically retries failed operations (5 attempts over 5 minutes). If errors persist, check the Business Checkup page for detailed information and follow the suggested resolution steps.
Security Considerations
Data Shared with OpenPath
When provisioning access, Nexudus shares the following information with OpenPath:- Customer data: First name, last name, email address
- External ID: Nexudus customer ID (used to link records between systems)
- RFID cards: Card IDs from the Access Card ID field
- Access groups: Group IDs the customer should be assigned to
- Billing information
- Payment details
- Contract specifics (only group assignments)
- Personal notes or custom fields
- Other customers’ information
Credential Security
- Mobile credentials: Managed entirely by OpenPath; Nexudus only creates the credential record
- Cloud keys: Time-limited and automatically expire; can be revoked immediately
- Physical cards: Card numbers stored in Nexudus; OpenPath encrypts card data
- Remote unlock: Requires valid authentication to Nexudus Passport app
- User passwords: Never shared with Nexudus; authentication to OpenPath is handled by OpenPath
Access Logging
All access events are logged in OpenPath:- Who accessed which entry
- When the access occurred
- Which credential was used (mobile, card, cloud key)
- Whether access was granted or denied
Related Documentation
- Access Control Overview
- Passes Configuration
- Plans & Contracts
- Resource Bookings
- Check-ins
- Visitor Management
Best Practices
Group Organization
Create groups based on access levels, not products or plans:- ✅ Good: “24/7 Access”, “Business Hours”, “Meeting Rooms”, “Private Offices”
- ❌ Avoid: “Hot Desk Plan”, “Dedicated Desk Plan” (these are billing products, not access types)
Credential Strategy
For members:- Issue mobile credentials to all customers (automatic)
- Only issue physical cards when needed (reduces cost and management overhead)
- Use DESFire cards for higher security environments
- Use MIFARE CSN for faster access in low-security areas
- Use cloud keys instead of physical credentials
- Set appropriate expiration times based on visit duration
- For recurring visitors, consider converting them to temporary members
Entry Organization in OpenPath
- Group entries by access level (not by physical location)
- Create separate groups for different time restrictions (24/7 vs business hours)
- Use descriptive group names that indicate the access level
- Document which entries belong to which groups
Check-in Configuration
- Only enable check-in tracking on primary entrance readers
- Set exit readers to “Check Out” to automatically track departures
- Set interior readers to “Nothing” to avoid redundant check-ins
- Consider using “Toggle” for single-entry/exit locations
Technical Details
For developers and IT administrators
For developers and IT administrators
API Architecture
- Base URL (US):
https://api.openpath.com - Base URL (EU):
https://api.eu.openpath.com - Authentication: Basic Auth (username/password)
- Token management: Session-based with automatic token refresh
- Rate limiting: 30 requests per minute per username (enforced via semaphore across servers)
Key Endpoints
- Users:
/orgs/{orgId}/users(GET, POST, PUT, DELETE) - Groups:
/orgs/{orgId}/groups - User Groups:
/users/{userId}/groups(PUT to update group assignments) - Credentials:
/users/{userId}/credentials(GET, POST, DELETE) - Credential Types:
/credentialTypes - Card Formats:
/cardFormats - Readers:
/orgs/{orgId}/readers - Entries:
/groups/{groupId}/entries - Activity Report:
/orgs/{orgId}/activity(access events) - Mobile Setup Token:
/users/{userId}/credentials/{credentialId}/mobile/provisioningQrcode - Cloud Key Token:
/users/{userId}/credentials/{credentialId}/cloudKey/accessToken - Remote Unlock: POST with entry ID and unlock command
Synchronization
- Access updates: Debounced by 5 seconds per customer to batch rapid changes
- Background task: Polls reader events every 9 minutes for check-in tracking
- Event query: Queries activity report for successful access events
- Distributed locking: Prevents race conditions in multi-server deployments
- User provisioning: Lazy creation on first group assignment
- User deletion: Automatic when no groups remain
- Access signature hashing: Prevents unnecessary API calls when access hasn’t changed
External IDs
- Customers:
ExternalIDset to Nexudus customer ID (integer) - Lookup: Users retrieved via email first, then verified by external ID
- Uniqueness: One OpenPath user per customer email address
User Model
Credential Types
| Type ID | Name | Model Name | Use Case |
|---|---|---|---|
| 1 | Mobile | mobile | Bluetooth mobile access |
| 4 | MIFARE CSN | cardMifareCsn | Simple RFID cards |
| 5 | DESFire | cardOpenpathDesfireEv1 | Encrypted RFID cards |
| 6 | Cloud Key | cloudKey | Time-limited visitor access |
| Custom | Varies | card | Custom card formats |
Card Format Fields
Custom card formats may include:cardId(required): The card numberfacilityCode: Facility/site identifiercompanyCode: Company identifierissueLevel: Card issue levelsiteCode: Site codeoem,rcm: Manufacturer codes
Business Settings Reference
| Setting | Purpose |
|---|---|
OpenPath.Enabled | Integration enabled flag (“true”/“false”) |
OpenPath.Username | OpenPath API username |
OpenPath.Password | OpenPath API password |
OpenPath.OrganisationId | Organization ID for API calls |
OpenPath.Region | API region (“US” or “EU”) |
OpenPath.CardType | Default credential type ID (0 = automatic) |
OpenPath.CardFormatId | Card format ID for custom cards |
OpenPath.CardFormat.{field} | Custom card format field values |
OpenPath.HasRemoteUnlock | Enable remote unlock (“true”/“false”) |
OpenPath.SetUpMobileCredential | Auto-provision mobile credentials (“true”/“false”) |
OpenPath.CreateVisitorCloudKeys | Enable visitor cloud keys (“true”/“false”) |
OpenPath.VisitorEntryIds | Comma-separated entry IDs for visitors |
OpenPath.Controller.Id_{readerId}.Action | Check-in action per reader (Nothing/CheckIn/CheckOut/Toggle) |
Contract-Based Desk Access
- Desk access determined by active contracts:
coworker.ActiveContracts().SelectMany(x => x.Desks) - Team billing support: Customer receives access to desks in paying member’s contracts
- Desk mapping: Each desk mapped to a single group ID
Access Update Logic
- Passes: Active passes from contracts + shared passes from paying member
- Check-ins: Passes from open check-ins (maintains access during session)
- Bookings: Resources with bookings starting within 15 minutes
- Booking guests: Resources from bookings where customer is a visitor
- Desks: Desks from active contracts (own + team billing)
- Group aggregation: Unique list of all group IDs from above sources
- Signature check: Compare new group list to stored access signature
- Skip if unchanged: If signature matches, skip API call (optimization)
- User provisioning: Create user if doesn’t exist and has groups
- Group update: Update user’s group assignments via PUT to
/users/{id}/groups - Credential management: Create mobile credential, physical cards based on Access Card ID
- User deletion: If no groups remain, delete all credentials and user
Credential Management Logic
Mobile credentials:- Created with credential type ID 1
- Name set to location name
- Provisioned automatically if
SetUpMobileCredentialis enabled - One mobile credential per user
- Created based on Access Card ID field (comma-separated)
- Auto-detection: 14 digits = DESFire, others = MIFARE CSN
- Multiple cards supported (split by comma)
- All existing card credentials deleted before creating new ones
- Custom card formats supported with additional fields
- Created with credential type ID 6
- Name format: “Visitor #”
- Time-limited access tokens generated with entry scope
- Booking integration: inherits entries from resource’s group
- Validity: expected arrival -15 min to departure +15 min (or next day midnight)
Event Processing
- Task schedule: Recurring job every 9 minutes
- Event query: Activity report from
lastEventDatetonow - Event filtering: Only “Granted” results processed
- User lookup: Match by user ID in OpenPath, verify via external ID
- Check-in trigger: Based on reader’s configured action
- Timestamp conversion: Unix timestamp to DateTime
- Invalid check-in notification: System message sent to access control notification users
Error Handling
- Authentication failures: Disable integration and log error
- Provisioning errors: Automatic retry with 5 attempts
- Business Checkup: Integration errors displayed on dashboard
- Distributed locks: Prevent concurrent updates to same customer
- Exception logging: Full stack trace logged for troubleshooting
- Event raising:
OnExceptionHandler<AccessControlEventData>for monitoring