> ## Documentation Index
> Fetch the complete documentation index at: https://learn.nexudus.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Brivo Access Control

> Connect Nexudus with Brivo's cloud-based access control system to automate door access based on plans, passes, bookings, and desk assignments

# Brivo Access Control Integration

## Overview

Brivo is a cloud-based access control platform that enables flexible, secure physical access management. The Nexudus integration with Brivo automates credential provisioning and access group assignments based on customer contracts, passes, bookings, and desk assignments.

### Key Features

* **Cloud-based management**: Manage access from anywhere through Brivo's web platform
* **Mobile access**: Customers can use the Brivo OnAir mobile app via the Nexudus Passport app
* **Automatic provisioning**: Access is granted and revoked automatically based on plan changes, bookings, and pass assignments
* **Visitor support**: Time-limited credentials for visitors with automatic expiry
* **Check-in tracking**: Optionally use door events to check customers in/out
* **Multi-region support**: Works with both Global and Europe Brivo regions
* **Group-based permissions**: Map your inventory (passes, resources, desks) to Brivo access groups

### Integration Type

**Cloud-based** — Brivo operates entirely in the cloud with no on-premises server requirements.

### Capabilities

| Feature                    | Supported  | Notes                                                                      |
| -------------------------- | ---------- | -------------------------------------------------------------------------- |
| **Pass-based access**      | ✅ Yes      | Primary access mechanism via pass-to-group mapping                         |
| **Plan-based access**      | ✅ Indirect | Plans grant access through the passes they include                         |
| **Resource-based access**  | ✅ Yes      | Temporary access during bookings with 15-min lead time                     |
| **Desk/unit-based access** | ✅ Yes      | Contract-based access with team billing support                            |
| **Visitor access**         | ✅ Yes      | Time-limited credentials with automatic expiry                             |
| **Booking guest access**   | ✅ Yes      | Customers added as booking guests can access spaces during booking windows |
| **Check-in tracking**      | ✅ Yes      | Door events trigger automatic check-ins                                    |
| **Mobile app access**      | ✅ Yes      | Brivo OnAir integration via Nexudus Passport app                           |
| **Remote door unlock**     | ❌ No       | Customers must be physically near doors to unlock                          |

## How It Works

### Access Control Model

Brivo uses a **user and group** model:

1. **Users**: Each customer is created as a user in Brivo with their email and name
2. **Groups**: Access permissions are organized into groups in Brivo (e.g., "24/7 Access", "Meeting Room A")
3. **Credentials**: Users receive credentials (physical cards, QR codes, or mobile passes) to access doors
4. **Access points**: Physical doors/locks controlled by Brivo hardware

When a customer should have access (based on their plan, passes, or bookings), Nexudus:

* Creates or updates their Brivo user profile
* Assigns them to the appropriate access groups
* Provisions credentials (mobile pass or physical card)

### Multi-Door Support

Brivo uses **access groups** to grant permissions to multiple doors. Instead of mapping each door individually:

1. In Brivo, create an access group (e.g., "Coworking Space Access")
2. Add the relevant doors to that group in Brivo
3. In Nexudus, map your pass/resource/desk to that group
4. Customers with that pass automatically get access to all doors in the group

<Note>
  You must configure which doors belong to each group in the Brivo platform. Nexudus assigns customers to groups, but the door-to-group mapping is managed in Brivo.
</Note>

## Prerequisites

Before connecting Nexudus to Brivo, ensure you have:

1. **Active Brivo account** with administrator access
2. **Brivo API Key** obtained from Brivo support or your account manager
3. **Brivo site configured** with access points (doors/locks) installed and online
4. **Access groups created** in Brivo for different access levels (e.g., 24/7 access, business hours only)
5. **API access enabled** on your Brivo account
6. **Nexudus location configured** with plans, passes, and resources

<Note>
  **Getting your API Key**: Contact Brivo support or your Brivo account manager to request an API Key for your account. You'll need this before you can connect Nexudus to Brivo. The API Key is separate from your login credentials and enables programmatic access to your Brivo system.
</Note>

<Note>
  You'll need to choose your region (Global or Europe) during setup. This determines which Brivo API endpoint is used and cannot be changed later without reconnecting.
</Note>

## Configuration

### Step 1: Connect to Brivo

1. In the Nexudus dashboard, go to **Settings > Integrations**
2. Find **Brivo** in the list and click to open the integration settings
3. Toggle **Enable Brivo integration** to ON
4. Enter your **API Key** (obtained from Brivo support)
5. Select your region:
   * **Global**: For accounts on `https://auth.brivo.com`
   * **Europe**: For accounts on `https://auth.eu.brivo.com`
6. Click **Connect**
7. Sign in to your Brivo account when prompted
8. Grant Nexudus permission to access your Brivo account
9. You'll be redirected back to Nexudus

Once connected, Nexudus can read your Brivo sites, access points, groups, and credential formats.

<Warning>
  The region selection (Global vs Europe) is tied to your Brivo account setup. If you're unsure which region your account uses, check with your Brivo administrator or look at your Brivo login URL.
</Warning>

### Step 2: Select Your Site

If you have multiple Brivo sites:

1. From the **Site** dropdown, select the site that corresponds to this Nexudus location
2. This determines which access points and groups are available for mapping

<Note>
  If you have multiple locations in Nexudus and multiple sites in Brivo, you'll need to configure the integration separately for each location.
</Note>

### Step 3: Configure Presence Tracking (Optional)

Brivo can trigger automatic check-ins when customers unlock specific doors.

1. In the **Access Points** section, you'll see all doors from your Brivo site
2. For each door, choose an action:
   * **Nothing**: Door access is tracked in Brivo but doesn't affect Nexudus
   * **Check In**: Unlocking this door checks the customer in
   * **Check Out**: Unlocking this door checks the customer out
   * **Toggle**: Unlocking switches between checked in and checked out

**Common scenarios:**

* Set the main entrance to **Check In**
* Set the exit door to **Check Out**
* Set internal doors to **Nothing** (access granted but doesn't affect presence)

<Note>
  Check-in tracking requires webhook events from Brivo. Nexudus listens for access granted events and triggers the appropriate check-in action based on your configuration.
</Note>

### Step 4: Map Passes to Access Groups

Passes are the primary way customers receive access in Nexudus. Each pass can be mapped to a Brivo access group.

1. In the **Passes** section, you'll see all passes configured for this location
2. For each pass, select the Brivo **Access Group** that customers should be assigned to when they hold that pass
3. Leave blank if a pass should not grant physical access

**How it works:**

* When a customer has an active contract on a plan that includes passes, they automatically receive those passes
* If the pass is mapped to a Brivo group, the customer is added to that group in Brivo
* When the pass expires or is consumed, access is revoked
* Time-limited passes (e.g., day passes with validity windows) automatically grant and revoke access at the appropriate times

**Example mapping:**

| Pass Name           | Brivo Group    | Purpose                            |
| ------------------- | -------------- | ---------------------------------- |
| 24/7 Access Pass    | 24/7 Members   | Round-the-clock building access    |
| Business Hours Pass | Business Hours | Access only during operating hours |
| Meeting Room Pass   | Meeting Rooms  | Access to meeting room zones       |

<Warning>
  Plans are **not** directly mapped to access groups. Instead:

  1. Plans include passes via the plan configuration
  2. Passes are what get mapped to access groups
  3. When a customer starts a contract on a plan, they receive the passes included in that plan
  4. Those passes then grant the associated Brivo access
</Warning>

### Step 5: Map Resources to Access Groups

Resources (meeting rooms, event spaces, etc.) can require specific access permissions for bookings.

1. In the **Resources** section, you'll see all resources configured for this location
2. For each resource, select the Brivo **Access Group** required to access that space
3. Leave blank if resource bookings should not grant physical access

**How it works:**

* When a customer books a resource, Nexudus grants them access 15 minutes before the booking starts
* Access is automatically revoked when the booking ends
* If the booking is cancelled, access is removed immediately

**Example mapping:**

| Resource Name     | Brivo Group     | Purpose                            |
| ----------------- | --------------- | ---------------------------------- |
| Conference Room A | Meeting Room A  | Access to specific meeting room    |
| Event Space       | Event Hall      | Access to event space for bookings |
| Private Office    | Private Offices | Access to private office area      |

<Note>
  Resource-based access is temporary and booking-specific. A customer only receives access during their booking window, even if they don't hold a general access pass.
</Note>

### Step 6: Map Desks/Units to Access Groups

Floor plan desks and units can grant access to specific areas when included in a customer's contract.

1. In the **Desks/Units** section, you'll see all desks from your floor plans
2. For each desk, select the Brivo **Access Group** required to access that area
3. Leave blank if desk assignments should not grant physical access

**How it works:**

* When a desk is added to a customer's contract, they receive access to the mapped group
* Access is granted when the contract starts and revoked when it ends
* **Team billing support**: If a customer uses team billing (merged billing), they also receive access to desks included in the paying member's contracts

**Example mapping:**

| Desk/Unit Name        | Brivo Group            | Purpose                                   |
| --------------------- | ---------------------- | ----------------------------------------- |
| Private Office #101   | Private Office Floor 1 | Access to first-floor private office area |
| Dedicated Desk Zone A | Desk Area A            | Access to dedicated desk zone A           |
| Studio #5             | Studio Access          | Access to individual studio unit          |

<Warning>
  Desk access is based on **contract assignments**, not direct desk bookings. Customers must have the desk included in an active contract to receive access. Ad-hoc desk bookings (if using desk booking) do not automatically grant Brivo access.
</Warning>

### Step 7: Configure Visitor Access (Optional)

Brivo supports time-limited credentials for visitors.

1. In the **Visitor Settings** section, select the Brivo **Access Groups** that visitors should receive
2. Multiple groups can be selected if visitors need access to multiple areas
3. Optionally configure:
   * **Credential format**: Choose which credential format to use for visitors (QR code, PIN, etc.)
   * **Automatic mobile invitations**: Enable to automatically send mobile pass invitations to visitors

**How visitor access works:**

* When a visitor is registered in Nexudus with an expected arrival time, Nexudus creates a temporary Brivo user
* The visitor receives a time-limited credential (access starts 15 minutes before expected arrival)
* Access automatically expires:
  * **Guest on a booking**: 15 minutes after the booking ends
  * **Regular visitor**: At midnight (location's time zone) after the arrival date
* When the visitor is marked as departed or deleted, their Brivo credential is removed immediately

<Note>
  Visitors can also be added as **guests on bookings**. When a customer adds a guest to a meeting room booking, the guest receives the same access as the resource grants, limited to the booking time window.
</Note>

### Step 8: Configure Mobile Access (Optional)

Brivo OnAir enables customers to unlock doors using their smartphone via the Nexudus Passport app.

**Requirements:**

* Brivo OnAir must be enabled on your Brivo account
* Customers must download the Nexudus Passport app
* The integration must be configured to use mobile credentials

**Setup:**

1. In Brivo, ensure your access points support OnAir (mobile credentials)
2. In Nexudus, under **Credential Settings**, select:
   * **Credential format**: Choose "Brivo Mobile Pass"
   * **Redeem OnAir passes automatically**: Enable to automatically provision mobile passes without requiring customers to manually redeem an invitation

**Customer experience:**

1. Customer logs in to the Nexudus Passport app
2. App detects Brivo integration is enabled
3. Customer receives a Brivo OnAir invitation:
   * **Automatic mode**: Invitation is pre-redeemed, customer can unlock doors immediately
   * **Manual mode**: Customer receives an email with an access code to redeem in the Brivo app
4. Customer can unlock doors directly from the Passport app

<Note>
  If automatic redemption is disabled, customers receive an email with a Brivo OnAir access code. They must enter this code in the Brivo Mobile app to activate their mobile credential.
</Note>

### Step 9: Save Configuration

1. Review all mappings to ensure they're correct
2. Click **Save** to apply the configuration
3. Nexudus will immediately start provisioning access for customers based on the new mappings

## How Access is Managed

### When Access is Granted

Nexudus automatically grants Brivo access when:

1. **Contract starts**: Customer begins a contract on a plan → receives passes included in that plan → assigned to corresponding Brivo groups
2. **Pass activated**: Customer receives a pass directly (not via a contract) → assigned to the mapped Brivo group
3. **Booking created**: Customer books a resource → granted access to resource's group 15 minutes before booking start time
4. **Desk added to contract**: Desk is added to an active contract → customer receives access to the desk's mapped group
5. **Visitor registered**: Visitor is added with expected arrival → temporary Brivo credential created
6. **Booking guest added**: Non-customer is added as a guest on a booking → granted access to resource's group for the booking duration

### When Access is Revoked

Nexudus automatically revokes Brivo access when:

1. **Contract ends or cancelled**: Customer loses passes from that contract → removed from corresponding Brivo groups
2. **Pass expires**: Pass validity ends or usage is consumed → removed from mapped Brivo group
3. **Booking ends or cancelled**: Booking time expires or is cancelled → access to resource's group is removed
4. **Desk removed from contract**: Desk is removed from contract → access to desk's group is revoked
5. **Customer deactivated**: Customer account is deactivated → all Brivo access removed
6. **Visitor expires**: Visitor's access window ends or visitor is deleted → Brivo credential deleted
7. **Check-in expires**: If customer checks out or check-in expires, certain temporary access may be revoked

### Access Update Timing

* **Immediate updates**: Contract changes, pass assignments, and customer deactivations trigger access updates within seconds
* **Booking lead time**: Booking access is granted 15 minutes before the booking start time
* **Visitor access**: Starts 15 minutes before expected arrival
* **Background processing**: Access updates are queued in background jobs to handle high volumes efficiently

<Note>
  If a customer should have access but doesn't, the system automatically retries access provisioning. Check the Business Checkup page for any integration errors.
</Note>

## Mobile App Experience

Customers can use the **Nexudus Passport** mobile app to access doors via Brivo OnAir.

### Setup for Customers

1. Customer downloads the **Nexudus Passport** app (iOS or Android)
2. Signs in with their Nexudus credentials
3. App detects Brivo integration is active
4. Customer receives or redeems a Brivo OnAir mobile pass:
   * **Automatic mode**: Pass is ready immediately
   * **Manual mode**: Customer receives an email with an access code to enter in the Brivo app

### Using Mobile Access

1. Customer opens the Nexudus Passport app
2. Navigates to **Unlock Doors** section
3. Views available Brivo OnAir credentials
4. Approaches door and uses phone to unlock (via Bluetooth or QR code, depending on Brivo hardware)

### Revoking Mobile Access

Customers can revoke and re-invite their mobile pass from the Nexudus Passport app if:

* They changed phones
* The pass stopped working
* They want to refresh their credentials

Admins can also force a refresh by:

1. Temporarily deactivating the customer
2. Reactivating the customer
3. Access is automatically re-provisioned

## Troubleshooting

<AccordionGroup>
  <Accordion title="Customer has an active contract but can't access doors">
    **Possible causes:**

    1. **Pass not mapped**: The passes included in the customer's plan are not mapped to any Brivo access groups
       * **Solution**: Go to Settings > Integrations > Brivo and map the relevant passes to access groups

    2. **Pass expired or inactive**: The customer's pass has expired or hasn't started yet
       * **Solution**: Check the customer's passes under their profile to verify validity windows

    3. **Brivo user not created**: The customer wasn't created in Brivo
       * **Solution**: Check the Business Checkup page for integration errors, or manually trigger an update by editing and saving the customer's profile

    4. **Access group permissions**: The Brivo access group exists but isn't assigned to any doors
       * **Solution**: In Brivo, verify the access group includes the correct access points

    5. **Credential not provisioned**: Customer exists in Brivo but has no active credential
       * **Solution**: Check if the customer has redeemed their OnAir invitation (if using mobile access), or issue a physical card
  </Accordion>

  <Accordion title="Booking access not working">
    **Possible causes:**

    1. **Resource not mapped**: The booked resource is not mapped to a Brivo access group
       * **Solution**: Map the resource to an access group in Settings > Integrations > Brivo

    2. **Booking too far in future**: Access is only granted 15 minutes before booking start time
       * **Solution**: Wait until booking is within 15 minutes of start time

    3. **Booking not confirmed**: Some resources require booking confirmation
       * **Solution**: Confirm the booking if it's in pending state
  </Accordion>

  <Accordion title="Visitor cannot access the space">
    **Possible causes:**

    1. **Visitor access not configured**: Visitor access groups are not set in the integration settings
       * **Solution**: Configure visitor access groups in Settings > Integrations > Brivo

    2. **Visitor code not generated**: The visitor doesn't have a visitor code assigned
       * **Solution**: Ensure the visitor has a unique visitor code in their profile

    3. **Access window not started**: Visitor access starts 15 minutes before expected arrival
       * **Solution**: Check the visitor's expected arrival time

    4. **Credential expired**: Visitor access window has ended
       * **Solution**: Update the visitor's expected arrival time or mark them as departed and re-register
  </Accordion>

  <Accordion title="Mobile access (OnAir) not working">
    **Possible causes:**

    1. **OnAir not enabled**: Brivo OnAir is not enabled on your Brivo account
       * **Solution**: Contact Brivo support to enable OnAir for your account

    2. **Invitation not redeemed**: Customer received an invitation but hasn't redeemed it
       * **Solution**: Check customer's email for the Brivo OnAir invitation code, or enable automatic redemption

    3. **Customer changed phones**: Mobile credential is tied to a specific device
       * **Solution**: Customer should revoke and re-invite their mobile pass from the Nexudus Passport app

    4. **Bluetooth/location disabled**: OnAir requires Bluetooth and location services
       * **Solution**: Customer should enable Bluetooth and location permissions for the Nexudus Passport app
  </Accordion>

  <Accordion title="Access not revoking when contract ends">
    **Possible causes:**

    1. **Multiple active contracts**: Customer has another active contract that includes the same passes
       * **Solution**: This is expected behavior — access remains as long as any active contract provides it

    2. **Shared passes**: Customer is part of a team with shared passes from another team member
       * **Solution**: Access remains as long as the paying team member's contract is active

    3. **Background job delayed**: Access revocation is queued and may take a few minutes
       * **Solution**: Wait 5-10 minutes and check again, or check the Business Checkup page if errors persist
  </Accordion>

  <Accordion title="Integration shows 'Developer Inactive' error">
    **Cause:** Your Brivo API credentials or subscription have expired or been revoked.

    **Solution:**

    1. Contact your Brivo account manager to verify your API access is active
    2. Reconnect the integration (disconnect and connect again) to refresh credentials
    3. Check that your Brivo subscription includes API access
  </Accordion>

  <Accordion title="Integration shows 'Developer Over Rate' error">
    **Cause:** Nexudus is making too many API requests to Brivo (hitting rate limits).

    **Solution:**

    * This is usually temporary and will resolve automatically
    * If it persists, it indicates high access update volume (e.g., large contract changes affecting many customers)
    * Contact Nexudus support if this error continues for more than 30 minutes
  </Accordion>
</AccordionGroup>

## Monitoring Integration Errors

Nexudus monitors your access control integration and alerts you to any issues that need attention.

### Business Checkup Dashboard

Access control integration errors are displayed on the **Business Checkup** page:

1. Go to **Home > Important Items** in the dashboard, or
2. Navigate directly to [dashboard.nexudus.com/dashboards/checkup](https://dashboard.nexudus.com/dashboards/checkup)
3. Look for the **Access Control Integration** tile
4. If there are errors, the tile will be displayed in red

### What Gets Flagged

* **Authentication failures**: Expired credentials or invalid API tokens
* **Provisioning errors**: Failed attempts to create or update customer access
* **Configuration issues**: Missing or invalid access group mappings
* **Synchronization problems**: Delays or failures in updating access permissions

Each error includes:

* The customer affected
* The nature of the problem
* When the error occurred
* Suggested actions to resolve it

<Note>
  Nexudus automatically retries failed operations. If errors persist, check the Business Checkup page for detailed information and follow the suggested resolution steps.
</Note>

## Security Considerations

### Data Shared with Brivo

When provisioning access, Nexudus shares the following information with Brivo:

* **Customer data**: First name, last name, email address
* **External ID**: Nexudus customer ID (used to link records between systems)
* **Visitor data**: Name, email, visitor code

Nexudus **does not** share:

* Billing information
* Payment details
* Contract specifics (only access group assignments)
* Personal notes or custom fields

### Credential Management

* **Physical cards**: Managed entirely in Brivo; Nexudus only assigns access groups
* **Mobile credentials**: Provisioned through Brivo OnAir; Nexudus triggers invitation but doesn't handle the credential itself
* **Visitor credentials**: Time-limited and automatically expire
* **User passwords**: Never shared with Nexudus; authentication to Brivo apps is handled by Brivo

## Technical Details

<Accordion title="For developers and IT administrators">
  ### API Architecture

  * **Base URLs**:
    * US: `https://api.brivo.com`
    * EU: `https://api.eu.brivo.com`
  * **Authorization URLs**:
    * US: `https://auth.brivo.com`
    * EU: `https://auth.eu.brivo.com`
  * **Authentication**: OAuth2 Authorization Code flow
  * **Authorization path**: `/oauth/authorize`
  * **Token path**: `/oauth/token`
  * **Token type**: Bearer token (stored in `Brivo.ApiToken` setting)
  * **Refresh token**: Stored in `Brivo.ApiRefreshToken` setting
  * **Client credential style**: POST body (not Authorization header)
  * **Rate limiting**:
    * Debug: 20 requests/second
    * Production: 50 requests/second
    * Per API key, distributed across multiple servers

  ### Key Endpoints

  * **Users**: Create, update, delete Brivo users
  * **Groups**: Manage access groups and group assignments
  * **Credentials**: Provision mobile passes, QR codes, PIN codes
  * **Sites**: Query sites associated with the account
  * **Access Points**: Query doors and access points
  * **Events**: Query access granted events with pagination
  * **Digital Invitations**: Send OnAir mobile pass invitations

  ### Synchronization

  * **Access updates**: Debounced by 5 seconds per customer to batch rapid changes
  * **Background task**: Polls door events every 9 minutes for check-in tracking
  * **Event query limitations**: Brivo cannot query more than 24 hours of data in a single call
  * **Event pagination**: Forward-in-time pagination using `occurred__gt` and `offset` parameters
  * **Distributed locking**: Semaphore-based (max 10 concurrent operations, 15-minute timeout)
  * **User provisioning**: Lazy creation on first inventory assignment
  * **Credential rules**: Created/updated/deleted as inventory changes
  * **Access signature hashing**: Prevents unnecessary API calls when access hasn't changed

  ### External IDs

  * **Customers**: `BrivoUserId` field stores Brivo user ID (integer)
  * **Lookup**: `coworker.BrivoUserId` maps to Brivo user's `id` field
  * **Visitors**: Temporary Brivo users created with `firstName`, `lastName`, `email`

  ### User Model

  ```json theme={null}
  {
    "id": 12345,
    "firstName": "John",
    "lastName": "Doe",
    "email": "john@example.com",
    "externalId": "CUSTOMER-67890",
    "suspended": false,
    "groups": [1, 2, 3]
  }
  ```

  ### Visitor Access

  * **Visitor users**: Temporary Brivo users with time-limited credentials
  * **Access time window**:
    * Start: 15 minutes before expected arrival
    * End: 15 minutes after departure (or midnight if no departure set)
  * **Access groups**:
    * Booking-based: From resource or desk mapped groups
    * General visitors: From `Brivo.VisitorAccessGroupIds` setting
  * **Credential format**: Configurable via `Brivo.QR.CardFormat` setting
  * **Cleanup**: Users deleted after access window expires

  ### Mobile Credentials (OnAir)

  * **OnAir invitations**: Sent via Brivo Digital Invitation API
  * **Automatic redemption**: Configurable via `Brivo.RedeemOnAirPassesAutomatically`
  * **Manual redemption**: Customer receives email with access code to enter in Brivo app
  * **Integration**: Nexudus Passport app integrates with Brivo OnAir
  * **Revocation**: Customer can revoke and re-invite from Passport app

  ### Business Settings Reference

  | Setting                                      | Purpose                                                            |
  | -------------------------------------------- | ------------------------------------------------------------------ |
  | `Brivo.Enable`                               | Integration enabled flag ("true"/"false")                          |
  | `Brivo.Region`                               | API region ("US" or "EU")                                          |
  | `Brivo.ApiKey`                               | API key for rate limiting identification                           |
  | `Brivo.ApiToken`                             | OAuth2 access token (auto-refreshed)                               |
  | `Brivo.ApiRefreshToken`                      | OAuth2 refresh token                                               |
  | `Brivo.SystemId`                             | Brivo system identifier                                            |
  | `Brivo.SiteId`                               | Comma-separated site IDs to query events from                      |
  | `Brivo.VisitorAccessGroupIds`                | Comma-separated group IDs for general visitors                     |
  | `Brivo.RedeemOnAirPassesAutomatically`       | Auto-redeem mobile passes ("true"/"false")                         |
  | `Brivo.QR.CardFormat`                        | Credential format ID for visitor QR codes                          |
  | `Brivo.LastEventDate`                        | Last processed event timestamp (ISO 8601)                          |
  | `Brivo.Controller.Id_{accessPointId}.Action` | Check-in action per access point (Nothing/CheckIn/CheckOut/Toggle) |

  ### Contract-Based Desk Access

  * Desk access determined by active contracts: `coworker.ActiveContracts().SelectMany(x => x.Desks)`
  * **Team billing support**: Customer receives access to desks in paying member's contracts via `coworker.PaysInvoicesViaTeam()`
  * **Access check**: Validated via `coworker.GetPayingMemberWithSharedTimePasses()` for shared passes
  * **Desk mapping**: Each desk mapped to comma-separated Brivo group IDs

  ### Access Update Logic

  1. **Passes**: Active passes from contracts + shared passes from paying member
  2. **Check-ins**: Passes from open check-ins (maintains access during session)
  3. **Bookings**: Resources with bookings starting within 16 minutes (15-min lead + 1-min buffer)
  4. **Booking guests**: Resources from bookings where customer is a visitor
  5. **Desks**: Desks from active contracts (own + team billing)
  6. **Group aggregation**: Collect unique group IDs from all access sources
  7. **User provisioning**: Create/update Brivo user with aggregated groups
  8. **Credential management**: Issue mobile credentials or manage visitor access

  ### Event Processing

  * **Event query**: `GET /api/v1/api/events?occurred__gt={lastEventDate}&offset={timestamp}`
  * **Security action filter**: Only "Open" actions trigger check-ins
  * **Event fields**: `uuid`, `occurred`, `actor` (user), `object` (access point), `securityAction`
  * **Pagination**: Forward-in-time using minimum `occurred` timestamp as offset
  * **24-hour limitation**: Each query limited to 24 hours of data
  * **Event ordering**: Ordered by `occurred` timestamp ascending
  * **Multi-site**: Events queried separately for each Site ID in `Brivo.SiteId`

  ### Error Handling

  * **Developer Over Rate**: Rate limit exceeded, operation automatically retried
  * **Developer Inactive**: API credentials expired or subscription inactive
  * **Authentication failures**: Automatic token refresh using refresh token
  * **Provisioning errors**: Stored in business log entries with retry logic
  * **Business Checkup**: Integration errors displayed on dashboard
  * **Distributed locks**: Prevent concurrent updates to same customer

  ### Rate Limiting

  * **Semaphore-based**: Per API key across distributed servers
  * **Thread-safe**: Uses `RateLimiterThreadingTimer` with sliding window
  * **Dynamic headers**: API key header applied dynamically per request
  * **Over-rate handling**: Requests queued and retried automatically

  ### Region Configuration

  * **US Region**: Default, uses `api.brivo.com` and `auth.brivo.com`
  * **EU Region**: Uses `api.eu.brivo.com` and `auth.eu.brivo.com`
  * **Client credentials**: Different client IDs per region (`BrivoClientId` vs `BrivoEuClientId`)
  * **Cannot change**: Region locked after initial configuration (requires reconnection to switch)
</Accordion>

## Related Documentation

* [Access Control Overview](/platform/access-control/overview)
* [Passes Configuration](/platform/billing/time-passes)
* [Plans & Contracts](/platform/billing/plans)
* [Visitor Management](/platform/operations/visitors)
* [Resource Bookings](/platform/operations/bookings)
