Skip to main content

Kisi Access Control Integration

Overview

Kisi is a cloud-based access control platform that enables modern, keyless physical access management. The Nexudus integration with Kisi automates user provisioning and access group assignments based on customer contracts, passes, and bookings.

Key Features

  • Cloud-based management: Manage access through Kisi’s web platform and mobile app
  • Mobile access: Customers can use the Nexudus Passport app to unlock doors remotely
  • Automatic provisioning: Access is granted and revoked automatically based on plan changes, bookings, and pass assignments
  • Check-in tracking: Door unlock events automatically check customers in/out
  • Group-based permissions: Map your inventory (passes, resources) to Kisi groups
  • Booking-based temporary access: Automatic access during reservation windows
  • Booking guest access: Customers added as booking guests receive access during booking periods

Integration Type

Cloud-based — Kisi operates entirely in the cloud with no on-premises server requirements. The platform uses a REST API at https://api.getkisi.com.

Capabilities

FeatureSupportedNotes
Pass-based access✅ YesCustomers receive access based on their active passes
Plan-based access✅ IndirectPlans grant access through the passes they include
Resource-based access✅ YesGrants temporary access during reservations
Desk/unit-based access❌ NoNot supported by this integration
Visitor access❌ NoNot supported by this integration
Booking guest access✅ YesCustomers added as booking guests can access spaces during booking windows
Check-in tracking✅ YesDoor unlock events trigger automatic check-ins
Mobile app access✅ YesNexudus Passport app integration
Remote door unlock✅ YesCustomers can unlock doors without being physically present

How It Works

Access Control Model

Kisi uses a group-based model to manage access permissions:
  • Users represent individuals in the system (mapped to Nexudus customers)
  • Groups define collections of locks (doors) that users can access
  • Role Assignments link users to groups with specific permissions
  • Locks are individual access points managed by Kisi controllers
  • Places organize locks within your Kisi account
When a customer’s access needs change in Nexudus (e.g., they purchase a pass, book a resource, or their contract renews), the integration automatically creates or updates their user record in Kisi and assigns them to the appropriate groups.

Multi-Door Support

Kisi uses groups to grant permissions to multiple locks. Instead of mapping each lock individually:
  1. In Kisi, create a group (e.g., “24/7 Building Access”)
  2. Add the relevant locks to that group in Kisi
  3. In Nexudus, map your pass/resource to that group
  4. Customers with that pass automatically get access to all locks in the group
You must configure which locks belong to each group in the Kisi platform. Nexudus assigns customers to groups, but the lock-to-group mapping is managed in Kisi.

Prerequisites

Before connecting Nexudus to Kisi, ensure you have:
  1. Active Kisi account with administrator access
  2. Kisi API token obtained from your Kisi account settings
  3. Kisi system configured with lock controllers installed and online
  4. Groups created in Kisi for different access levels (e.g., 24/7 access, business hours only)
  5. Nexudus location configured with plans, passes, and resources

Obtaining Your Kisi API Token

To get your API token from Kisi:
  1. Log in to your Kisi account at web.getkisi.com
  2. Go to Settings > API
  3. Generate a new API token or copy your existing token
  4. Keep this token secure - you’ll need it for the Nexudus integration

Configuration

Step 1: Connect to Kisi

  1. In the Nexudus dashboard, go to Settings > Integrations
  2. Find Kisi in the list and click to expand the settings
  3. Enable the Enable Kisi integration toggle
  4. Enter your Kisi API Token in the API token field
  5. (Optional) Configure No access policy - choose whether to suspend or delete user accounts when they lose all access
  6. (Optional) Enable Notify customers by email if you want Kisi to send welcome emails (not recommended)
  7. Click Save to establish the connection
Once connected, Nexudus can read your Kisi groups and locks and begin provisioning access.
Your API token is stored securely and used for all API calls to Kisi. Never share your API token publicly.

Step 2: Configure Presence Tracking (Optional)

Kisi can trigger automatic check-ins when customers unlock specific doors.
  1. In the Presence Tracking section, you’ll see all locks from your Kisi account
  2. For each lock, choose an action:
    • Nothing: Door access is tracked in Kisi but doesn’t affect Nexudus
    • Check In: Unlocking this door checks the customer in
    • Check Out: Unlocking this door checks the customer out
    • Toggle: Unlocking switches between checked in and checked out
Common scenarios:
  • Set the main entrance to Check In
  • Set the exit door to Check Out
  • Set internal doors to Nothing (access granted but doesn’t affect presence)
Check-in tracking requires event processing. Nexudus syncs door events approximately every 9 minutes and triggers the appropriate check-in action based on your configuration.

Step 3: Map Passes to Groups

Passes are the primary way customers receive access in Nexudus. Each pass can be mapped to a Kisi group.
  1. In the Passes section, you’ll see all passes configured for this location
  2. For each pass, select the Kisi access group that customers should be assigned to when they hold that pass
  3. Leave blank if a pass should not grant physical access
How it works:
  • When a customer has an active contract on a plan that includes passes, they automatically receive those passes
  • If the pass is mapped to a Kisi group, the customer is added to that group
  • When the pass expires or is consumed, access is revoked
  • Time-limited passes (e.g., day passes with validity windows) automatically grant and revoke access at the appropriate times
Example mapping:
Pass NameKisi GroupPurpose
24/7 Access Pass24/7 MembersRound-the-clock building access
Business Hours PassBusiness HoursAccess only during operating hours
Meeting Room PassMeeting RoomsAccess to meeting room zones
Plans are not directly mapped to groups. Instead:
  1. Plans include passes via the plan configuration
  2. Passes are what get mapped to groups
  3. When a customer starts a contract on a plan, they receive the passes included in that plan
  4. Those passes then grant the associated Kisi access

Step 4: Map Resources to Groups

Resources (meeting rooms, event spaces, etc.) can require specific access permissions for bookings.
  1. In the Resources section, you’ll see all resources configured for this location
  2. For each resource, select the Kisi access group required to access that space
  3. Leave blank if resource bookings should not grant physical access
How it works:
  • When a customer books a resource, Nexudus grants them access 15 minutes before the booking starts
  • Access is automatically revoked when the booking ends
  • If the booking is cancelled, access is removed immediately
  • Booking guests: If a customer is added as a guest to a booking, they also receive access during the booking window
Example mapping:
Resource NameKisi GroupPurpose
Conference Room AConference RoomsAccess to meeting room area
Event SpaceEvent HallAccess to event space for bookings
Private OfficePrivate OfficesAccess to private office area
Resource-based access is temporary and booking-specific. A customer only receives access during their booking window (starting 15 minutes before), even if they don’t hold a general access pass.

Step 5: Save Configuration

  1. Review all mappings to ensure they’re correct
  2. Click Save to apply the configuration
  3. Nexudus will immediately start provisioning access for customers based on the new mappings

How Access is Managed

When Access is Granted

Nexudus automatically grants Kisi access when:
  1. Contract starts: Customer begins a contract on a plan → receives passes included in that plan → assigned to corresponding Kisi groups
  2. Pass activated: Customer receives a pass directly (not via a contract) → assigned to the mapped Kisi group
  3. Booking created: Customer books a resource → granted access to resource’s group 15 minutes before booking start time
  4. Booking guest added: Non-customer is added as a guest on a booking → granted access to resource’s group for the booking duration
  5. Check-in with pass: Customer checks in with a pass that grants access → maintains access during the check-in session

When Access is Revoked

Nexudus automatically revokes Kisi access when:
  1. Contract ends or cancelled: Customer loses passes from that contract → removed from corresponding Kisi groups
  2. Pass expires: Pass validity ends or usage is consumed → removed from mapped Kisi group
  3. Booking ends or cancelled: Booking time expires or is cancelled → access to resource’s group is removed
  4. Customer deactivated: Customer account is deactivated → all Kisi access removed (user suspended or deleted based on configuration)
  5. Check-in expires: If customer checks out, temporary access may be revoked

Access Update Timing

  • Immediate updates: Contract changes, pass assignments, and customer deactivations trigger access updates within seconds
  • Booking lead time: Booking access is granted 15 minutes before the booking start time
  • Background processing: Access updates are queued in background jobs with 5-second debouncing to batch rapid changes
  • Event processing: Door unlock events are synced approximately every 9 minutes for check-in tracking
If a customer should have access but doesn’t, the system automatically retries access provisioning. Check the Business Checkup page for any integration errors.

No Access Behavior

When a customer loses all access groups (no active passes, bookings, or contracts), Nexudus can handle their Kisi account in two ways: Suspend Account (Default)
  • The user’s access_enabled flag is set to false in Kisi
  • User record remains in Kisi but cannot unlock doors
  • Access can be re-enabled if customer regains access
  • Recommended for most use cases
Delete Account
  • The user is completely removed from Kisi
  • User record must be recreated if customer regains access
  • Use this option if you need to comply with data retention policies
Configure this behavior in Settings > Integrations > Kisi > No Access Behaviour.

Mobile App Experience

Customers can use the Nexudus Passport mobile app to unlock doors remotely.

Setup for Customers

  1. Customer downloads the Nexudus Passport app (iOS or Android)
  2. Signs in with their Nexudus credentials
  3. App detects Kisi integration is active
  4. Customer can view available locks and unlock them remotely

Using Mobile Access

  1. Customer opens the Nexudus Passport app
  2. Navigates to Unlock Doors section
  3. Views list of locks they currently have access to
  4. Taps Unlock to remotely unlock a door

How It Works

When a customer attempts to unlock a door through the Nexudus Passport app:
  1. App requests a device login token from Kisi via Nexudus API
  2. Kisi creates a device login associated with the customer’s email
  3. Customer can then use the app to unlock doors they have group access to
  4. No physical credentials (cards, fobs) are required
Mobile access is tied to the customer’s email address in both Nexudus and Kisi. Ensure customer email addresses are accurate and up to date.

Troubleshooting

Possible causes:
  1. Pass not mapped: The passes included in the customer’s plan are not mapped to any Kisi groups
    • Solution: Go to Settings > Integrations > Kisi and map the relevant passes to groups
  2. Group no longer exists: The selected group was deleted from Kisi
    • Solution: Recreate the group in Kisi, then refresh the integration by saving settings
  3. Pass expired or inactive: The customer’s pass has expired or hasn’t started yet
    • Solution: Check the customer’s passes under their profile to verify validity windows
  4. User not created: The customer wasn’t created in Kisi
    • Solution: Check the Business Checkup page for integration errors, or manually trigger an update by editing and saving the customer’s profile
  5. User suspended: The customer’s Kisi user is marked as access_enabled: false
    • Solution: User should regain access automatically when they receive a pass; check for integration errors
  6. Mobile app not authorized: Customer’s device login hasn’t been created
    • Solution: Customer should open Nexudus Passport app and trigger a new login request
Possible causes:
  1. Resource not mapped: The booked resource is not mapped to a Kisi group
    • Solution: Map the resource to a group in Settings > Integrations > Kisi
  2. Booking too far in future: Access is only granted 15 minutes before booking start time
    • Solution: Wait until booking is within 15 minutes of start time
  3. Booking not confirmed: Some resources require booking confirmation
    • Solution: Confirm the booking if it’s in pending state
  4. User not in Kisi: Customer doesn’t exist in Kisi yet
    • Solution: System should auto-create user; check Business Checkup for errors
Possible causes:
  1. No active access: Customer doesn’t have any passes or bookings that grant access
    • Solution: Verify customer has an active pass or upcoming booking mapped to Kisi groups
  2. User not confirmed: Customer’s Kisi user account is unconfirmed
    • Solution: Nexudus creates users with confirm: true; check Kisi for user status
  3. App not refreshed: Lock list hasn’t updated after access was granted
    • Solution: Customer should pull down to refresh the lock list in the app
  4. Device login expired: Customer’s device login token has expired
    • Solution: Customer should sign out and sign back in to the Nexudus Passport app
Possible causes:
  1. Door action not configured: Lock is set to “Nothing” instead of a check-in action
    • Solution: Configure the lock action in Settings > Integrations > Kisi
  2. Event processing delay: Background task runs approximately every 9 minutes
    • Solution: Wait up to 9 minutes for the next event sync cycle
  3. User not found: Door event references a user not in Nexudus
    • Solution: Ensure the email address in Kisi matches the customer’s email in Nexudus exactly
  4. Place filter configured: Events are filtered to a specific place ID
    • Solution: Check the Kisi.CheckinPlaceId setting; leave blank to process all events
Possible causes:
  1. Invalid API token: API token is incorrect or has been revoked
    • Solution: Generate a new API token in Kisi and update it in Nexudus settings
  2. Account access denied: Your Kisi account doesn’t have sufficient permissions
    • Solution: Ensure the API token is from an administrator account with full access
  3. API token expired: The API token is no longer valid
    • Solution: Generate a new API token in Kisi and update it in Settings > Integrations > Kisi
  4. Rate limiting: Too many API requests in a short period
    • Solution: Wait a few minutes and try again; Nexudus implements rate limiting to prevent this
Cause: Duplicate unconfirmed user accounts were created through legacy endpoints.Solution:
  • Nexudus automatically detects and deletes unconfirmed duplicate users
  • If issue persists, manually delete unconfirmed users in Kisi platform
  • Save customer profile in Nexudus to trigger a fresh sync

Monitoring Integration Errors

Nexudus monitors your access control integration and alerts you to any issues that need attention.

Business Checkup Dashboard

Access control integration errors are displayed on the Business Checkup page:
  1. Go to Home > Important Items in the dashboard, or
  2. Navigate directly to dashboard.nexudus.com/dashboards/checkup
  3. Look for the Access Control Integration tile
  4. If there are errors, the tile will be displayed in red

What Gets Flagged

  • Authentication failures: Invalid credentials or connection errors
  • Provisioning errors: Failed attempts to create or update customer access
  • Configuration issues: Missing or invalid group mappings
  • Synchronization problems: Delays or failures in updating access permissions
Each error includes:
  • The customer affected
  • The nature of the problem
  • When the error occurred
  • Suggested actions to resolve it
Nexudus automatically retries failed operations. If errors persist, check the Business Checkup page for detailed information and follow the suggested resolution steps.

Auto-Disable on Authentication Failure

If Nexudus detects repeated authentication failures (invalid API token), the integration will be automatically disabled to prevent further errors. You’ll need to:
  1. Generate a new API token in your Kisi account
  2. Re-enable the integration in Settings > Integrations > Kisi
  3. Enter the new API token and save

Security Considerations

Data Shared with Kisi

When provisioning access, Nexudus shares the following information with Kisi:
  • Customer data: Full name, email address
  • External ID: None (users are looked up by email)
  • Notifications: Optional flag to send welcome emails from Kisi
Nexudus does not share:
  • Phone numbers
  • Billing information
  • Payment details
  • Contract specifics (only group assignments)
  • Personal notes or custom fields

Network Security

  • HTTPS encryption: All communication uses HTTPS (SSL/TLS)
  • Bearer token authentication: API token sent with each request via Authorization header
  • Rate limiting: Built-in rate limiting prevents API abuse (5 req/sec per org, 1 req/sec for events)
  • Integration identifiers: Nexudus identifies itself to Kisi via custom headers

Credential Management

  • No physical credentials: Kisi is mobile-first; no RFID cards or PINs
  • Email-based identity: Users are identified and managed by email address
  • Device logins: Mobile app access uses device-specific login tokens
  • User passwords: Never shared with Nexudus; authentication is handled by Kisi

Advanced Configuration

Notification Settings

Control whether Kisi sends notification emails to customers when they’re added to groups:
  • Setting: Kisi.Notify (business setting)
  • Default: false (no notifications)
  • When enabled: Kisi sends welcome emails and enables password login for customers
Enabling notifications allows customers to create Kisi app accounts with passwords. This may bypass your intended access control flow. Leave disabled unless you specifically want customers to manage their Kisi access independently.
Control whether customer email addresses should be linked for login:
  • Setting: Kisi.LinkEmail (business setting)
  • Default: false
  • When enabled: Customer email is used for Kisi login authentication

Place Filtering

If your Kisi account has multiple places, you can filter event processing to a specific place:
  • Setting: Kisi.CheckinPlaceId (business setting)
  • Default: Empty (process all places)
  • Format: Numeric place ID from Kisi
This is useful for multi-location businesses where each Nexudus location corresponds to a different Kisi place.

Rate Limiting Key

Kisi requires an organization identifier for rate limiting:
  • Setting: Kisi.RateLimitingKey (business setting)
  • Format: Organization identifier from Kisi
  • Purpose: Ensures API rate limits are applied correctly across distributed servers
This setting is automatically configured when you connect the integration. You typically don’t need to modify it manually.

Best Practices

Group Organization

Create groups in Kisi based on access levels, not products or plans:
  • Good: “24/7 Access”, “Business Hours”, “Meeting Rooms”, “Private Offices”
  • Avoid: “Hot Desk Plan”, “Dedicated Desk Plan” (these are billing products, not access types)
This approach lets you grant the same physical access through multiple plans.

Email Address Management

  • Ensure customer email addresses are accurate and lowercase
  • Kisi uses email as the primary identifier for users
  • Duplicate emails will cause conflicts; ensure each customer has a unique email
  • If a customer changes their email, update it in both Nexudus and Kisi

Booking Access Timing

  • Resource access is granted 15 minutes before booking start time
  • This lead time ensures customers can access the space even if they arrive early
  • Consider this timing when scheduling back-to-back bookings

Event Processing Optimization

  • Event processing runs approximately every 9 minutes
  • Don’t expect instant check-ins from door unlocks; allow up to 10 minutes
  • For time-sensitive scenarios, use manual check-in or other methods

Access Signature Optimization

Nexudus uses access signatures to avoid unnecessary API calls:
  • An access signature is a hash of all groups a customer should have access to
  • If the signature hasn’t changed, Nexudus skips the update
  • This optimization reduces API traffic and improves performance

Technical Details

API Architecture

  • Base URL: https://api.getkisi.com
  • Authentication: Bearer token (provided directly as API token from Kisi settings)
  • API Format: JSON REST API
  • Rate limiting:
    • 5 requests per second per organization
    • 1 request per second for /events endpoint
    • Enforced via semaphore-based rate limiter across multiple servers

Key Endpoints

  • Authentication:
    • POST /logins - Create device login for mobile app (used by Nexudus Passport)
  • Users:
    • GET /users?email={email} - Find users by email
    • POST /users - Create new user
    • PUT /users/{id} - Update user
    • DELETE /users/{id} - Delete user
  • Groups:
    • GET /groups - List all groups (with pagination)
  • Places:
    • GET /places - List all places
  • Locks:
    • GET /locks - List all locks (with pagination)
  • Role Assignments:
    • GET /role_assignments?user_id={userId} - List user’s group assignments
    • POST /role_assignments - Assign user to group
    • DELETE /role_assignments/{id} - Remove user from group
  • Events:
    • POST /events/sets - Create event set for processing
    • GET /events/sets/{id} - Retrieve event set results

User Model

{
  "id": 12345,
  "email": "customer@example.com",
  "name": "John Doe",
  "confirmed": true,
  "access_enabled": true,
  "password_flow_enabled": false,
  "otp_required_for_login": false,
  "groups_count": 2,
  "created_at": "2024-01-01T00:00:00Z",
  "updated_at": "2024-01-01T00:00:00Z"
}
Key fields:
  • confirmed: Whether user has verified their email (Nexudus sets to true)
  • access_enabled: Whether user can unlock doors (controlled by Nexudus)
  • password_flow_enabled: Whether user can log in with password (controlled by notification setting)

Role Assignment Model

{
  "id": 67890,
  "role_id": "group_basic",
  "group_id": 123,
  "user_id": 456,
  "notify": false
}
Key fields:
  • role_id: Always “group_basic” for standard group membership
  • group_id: The Kisi group ID
  • user_id: The Kisi user ID
  • notify: Whether to send notification emails

Group Model

{
  "id": 123,
  "name": "24/7 Building Access",
  "place_id": 789
}

Lock Model

{
  "id": 456,
  "name": "Main Entrance",
  "place_id": 789,
  "action": 0
}

Event Model

{
  "id": 11223344,
  "created_at": "2024-01-01T12:00:00Z",
  "actor_type": "User",
  "actor_id": 12345,
  "actor_name": "John Doe",
  "action": "unlock",
  "success": true,
  "object_id": 456,
  "references": [
    {"id": 789, "type": "Place"}
  ]
}
Key fields:
  • actor_id: Kisi user ID who performed the action
  • actor_name: Name of the user (used for logging)
  • object_id: Lock ID that was unlocked
  • success: Whether unlock was successful (only successful events processed for check-ins)

Business Settings Reference

SettingPurpose
Kisi.EnabledIntegration enabled flag (“true”/“false”)
Kisi.ApiTokenBearer token obtained from Kisi account settings
Kisi.RateLimitingKeyOrganization identifier for rate limiting
Kisi.NotifySend notification emails when adding users (“true”/“false”)
Kisi.LinkEmailLink email address for login (“true”/“false”)
Kisi.NoAccessBehaviourWhat to do when customer loses all access (“Suspend”/“Delete”)
Kisi.CheckinPlaceIdFilter events to specific place ID (optional)
Kisi.PendingEventSetIdID of event set being processed (internal state)
Kisi.LastEventDateLast processed event timestamp (ISO 8601)
Kisi.Controller.Id_{lockId}.ActionCheck-in action per lock (Nothing/CheckIn/CheckOut/Toggle)

Access Update Logic

  1. Passes: Active passes from contracts + shared passes from paying member
  2. Check-ins: Passes from open check-ins (maintains access during session)
  3. Bookings: Resources with bookings starting within 15 minutes
  4. Booking guests: Resources from bookings where customer is a visitor
  5. Groups: Aggregated list of unique group IDs from all sources
  6. Access signature: Hash of all group IDs to detect changes
  7. User provisioning: Create user if doesn’t exist (lookup by email)
  8. Role management: Add missing group assignments, remove revoked groups
  9. Status update: Enable access if groups exist, suspend/delete if no groups

Event Processing

  • Task frequency: Approximately every 9 minutes
  • Event sets: Kisi provides events in batches via event sets
  • Pagination: Uses cursor-based pagination for large result sets
  • Place filtering: Optional filtering by place ID
  • Success filter: Only successful unlock events trigger check-ins
  • Date tracking: Last event date stored to prevent reprocessing
  • Ambiguity resolution: If multiple customers have same email, uses heuristics to determine correct one
  • Check-in actions: Configurable per lock (check-in/check-out/toggle/nothing)

Error Handling

  • Authentication failures: Auto-disable integration and log error
  • User creation failures: Log error and raise domain event for Business Checkup
  • Rate limiting: Automatic retry with exponential backoff (up to 5 attempts)
  • Duplicate users: Automatically delete unconfirmed duplicates
  • Event processing errors: Log and continue with next event
  • Distributed locks: Prevent concurrent updates to same customer

Performance Optimization

  • Debouncing: 5-second debounce prevents rapid repeated updates for same customer
  • Access signatures: Skip API calls when access hasn’t changed
  • Rate limiting: Prevents API overload with semaphore-based limiting
  • Background processing: All access updates run in Hangfire background jobs
  • Distributed locking: Ensures single-threaded access per customer across servers

Integration Identifiers

Nexudus identifies itself to Kisi via custom headers:
  • X-Kisi-Integration-Identifier: “Nexudus”
  • X-Kisi-Integration-Contact: “support@nexudus.com
  • X-Kisi-Org-Identifier: Rate limiting key

Pagination Strategy

  • Collections: Use X-Collection-Range header for offset-based pagination
  • Events: Use x-next-cursor header for cursor-based pagination
  • Default limit: Kisi typically returns 100 items per page