Skip to main content

UniFi Access Integration

Overview

UniFi Access is Ubiquiti’s enterprise door access control system that integrates with the broader UniFi IT management ecosystem. The Nexudus integration with UniFi Access automates credential provisioning and access policy assignments based on customer contracts, passes, bookings, and desk assignments.

Key Features

  • On-premises management: Deployed on your local network using UniFi infrastructure
  • Network Bridge connectivity: Secure communication through Nexudus Bridge (no port forwarding required)
  • Automatic provisioning: Access policies granted and revoked based on plan changes, bookings, and pass assignments
  • Multi-credential support: NFC cards, PIN codes, and mobile app access (UniFi Identity)
  • Policy-based permissions: Map your inventory (passes, resources, desks) to UniFi Access policies
  • Booking-based temporary access: Automatic access during reservation windows for booking holders and guests
  • Check-in session tracking: Maintains access during check-in sessions based on active time passes
  • Team billing support: Members of team billing groups receive access to all team resources
  • Shared passes: Team members automatically receive access from shared time passes
  • Mobile app support: Optional UniFi Identity app integration for smartphone-based door unlock

Integration Type

On-premise with Network Bridge — UniFi Access requires UniFi infrastructure (Dream Machine Pro, UniFi Cloud Key, or UniFi OS Console) at your location. Nexudus connects via the UniFi Access API using the Nexudus Network Bridge at https://bridge.nexudus.com/{device_id}/.

Capabilities

How It Works

Access Control Model

UniFi Access uses an access policy-based model to manage permissions:
  • Users represent individuals in the system (mapped to Nexudus customers)
  • Access Policies define collections of doors and resources that users can access
  • Credentials include NFC cards, PIN codes, and mobile app identities
  • Doors are individual access points managed by door controllers
  • Resources are doors, floors, or zones controlled by the access system
When a customer’s access needs change in Nexudus (e.g., they purchase a pass, book a resource, check in, or their contract renews), the integration automatically updates their user record in UniFi Access with the appropriate access policy assignments.

Access Calculation

The integration evaluates multiple sources to determine a customer’s access:
  1. Active Time Passes: All passes currently valid for the customer
  2. Shared Passes: Passes shared by paying member in team billing arrangements
  3. Check-in Sessions: Active check-ins maintain pass-based access for session duration
  4. Upcoming Bookings: Resources booked by customer (access granted 15 minutes early)
  5. Booking Guest Access: Resources where customer is added as a guest
  6. Contract Desks: Desks included in active contracts
  7. Team Billing Desks: Desks from paying member’s contracts for team members
All access policies from these sources are aggregated and applied to the customer’s UniFi Access user record.

Multi-Door Support

UniFi Access uses access policies to grant permissions to multiple doors and resources. Instead of mapping each door individually:
  1. In UniFi Access, create an access policy (e.g., “Coworking Space Access”, “Meeting Room Access”)
  2. Add the relevant doors and resources to that policy in UniFi Access
  3. In Nexudus, select that access policy from the dropdown when mapping your pass/resource/desk
  4. Customers with that pass automatically get access to all doors and resources in the policy
You must configure which doors belong to each access policy in the UniFi Access system. Nexudus assigns customers to policies by selecting from the available policies retrieved from your UniFi Access installation. The door-to-policy mapping is managed in UniFi Access.

Prerequisites

Before connecting Nexudus to UniFi Access, ensure you have:
  1. UniFi Access system deployed with administrator access:
    • UniFi Dream Machine Pro, Cloud Key, or UniFi OS Console
    • UniFi Access application installed and configured
    • At least one UniFi Access Hub connected
    • Door controllers and readers installed and online
  2. API credentials created in UniFi Access:
    • Local user account with API access permissions
    • API key generated for the user account
  3. Network Bridge installed and configured:
    • Nexudus Network Bridge agent running on your local network
    • Bridge device ID registered in your Nexudus dashboard
    • Bridge configured to forward requests to your UniFi Access API endpoint
  4. UniFi Access configured with:
    • Access policies created for different access levels (e.g., “Full Access”, “Meeting Rooms Only”)
    • Door controllers provisioned and online
    • Readers associated with doors
  5. Nexudus location configured with:
    • Plans, passes, and resources defined
    • Customers enrolled
The UniFi Access API is accessed through your local UniFi controller. The default API endpoint is typically https://[controller-ip]:12445 where [controller-ip] is the IP address of your UniFi Dream Machine Pro, Cloud Key, or Console. The Network Bridge will forward requests to this endpoint securely.

Configuration

Step 1: Set Up the Network Bridge

The UniFi Access integration requires the Nexudus Network Bridge to securely connect your on-premises UniFi infrastructure to Nexudus.
  1. Download and install the Network Bridge agent on a computer in your location’s network
  2. When the agent starts, it will display a unique Device ID
  3. Copy this Device ID — you’ll need it for both the bridge configuration and the UniFi Access integration settings
  4. In Nexudus, go to Settings → Devices and click Register Device
  5. Enter the Device ID to register the bridge
  6. Configure the bridge to point to your UniFi Access API endpoint (typically https://[controller-ip]:12445)
  7. Save the configuration and verify the bridge shows as “Connected”
Do not use a trailing slash in the UniFi Access API URL. The correct format is https://[controller-ip]:12445 (not https://[controller-ip]:12445/).

Step 2: Enable and Connect to UniFi Access

  1. In the Nexudus dashboard, go to Settings > Integrations
  2. Find UniFi Access in the list and expand the settings
  3. Enable the Enabled toggle
  4. Enter your connection details (fields appear when toggle is enabled):
    • API Key: Your UniFi Access API key (generated in UniFi Access console)
    • Bridge Device ID: The device ID from your Network Bridge installation (from Step 1)
  5. Click Save to establish the connection
  6. Once connected successfully, the configuration panels for passes, resources, and desks will load below
The connection URL is automatically constructed as https://bridge.nexudus.com/{DEVICE_ID}/ where {DEVICE_ID} is your Bridge device ID. The bridge agent forwards these requests to your local UniFi Access API.

Step 3: Configure Optional Features

After enabling the integration, configure optional features based on your needs:

PIN Code Synchronization

Enable Set PIN based on customer Pincode if you want Nexudus to synchronize customer PIN codes to UniFi Access:
  • When enabled, the first 4 digits of the customer’s Access Pincode field are synced to UniFi Access
  • Customers can then use their PIN to unlock doors (if your UniFi Access readers support PIN entry)
  • PINs are updated automatically when changed in the customer’s Nexudus profile
  • If a customer’s pincode is shorter than 4 digits or empty, their UniFi Access PIN is cleared

UniFi Identity Mobile App

Enable Send UniFi Identity invite email to new customers to automatically invite customers to use the UniFi Identity mobile app:
  • When enabled, new users created in UniFi Access receive an email invitation to download the UniFi Identity app
  • Customers can then use their smartphone to unlock doors without physical credentials
  • The invitation includes instructions for downloading the app and completing setup
  • This feature requires the UniFi Identity service to be enabled in your UniFi Access system
The UniFi Identity invitation sends an email directly from the UniFi Access system (not from Nexudus). Ensure your UniFi Access email settings are configured correctly, or customers may not receive the invitation.

Step 4: Map Passes to Access Policies

Passes are the primary way customers receive access in Nexudus. Each pass can be mapped to one or more UniFi Access policies.
  1. In the Passes section, you’ll see all passes configured for this location
  2. For each pass, select one or more UniFi Access policies from the dropdown menu
    • The dropdown shows all access policies available in your connected UniFi Access system
    • Policies are automatically retrieved when you save the connection settings
    • You can select multiple policies for a single pass
  3. Leave blank if a pass should not grant physical access
How it works:
  • When a customer has an active contract on a plan that includes passes, they automatically receive those passes
  • If the pass is mapped to UniFi Access policies, the customer is granted access to those policies
  • When the pass expires or is consumed, access is revoked
  • Time-limited passes (e.g., day passes with validity windows) automatically grant and revoke access at the appropriate times
Example mapping:
Access policies are automatically retrieved from your UniFi Access system. If you don’t see a policy in the dropdown, verify it exists in UniFi Access and re-save your connection settings to refresh the list.
Plans are not directly mapped to access policies. Instead:
  1. Plans include passes via the plan configuration
  2. Passes are what get mapped to access policies (selected from dropdown)
  3. When a customer starts a contract on a plan, they receive the passes included in that plan
  4. Those passes then grant the associated UniFi Access permissions

Step 5: Map Resources to Access Policies

Resources (meeting rooms, event spaces, etc.) can require specific access permissions for bookings.
  1. In the Resources section, you’ll see all resources configured for this location
  2. For each resource, select one or more UniFi Access policies from the dropdown menu
  3. Leave blank if resource bookings should not grant physical access
How it works:
  • When a customer books a resource, Nexudus grants them access 15 minutes before the booking starts
  • Access is automatically revoked when the booking ends
  • If the booking is cancelled, access is removed immediately
  • Booking guests also receive access to the resource’s policies during the booking window
Example mapping:
Resource-based access is temporary and booking-specific. A customer only receives access during their booking window, even if they don’t hold a general access pass.

Step 6: Map Desks/Units to Access Policies

Floor plan desks and units can grant access to specific areas when included in a customer’s contract.
  1. In the Desks/Units section, you’ll see all desks from your floor plans
  2. For each desk, select one or more UniFi Access policies from the dropdown menu
  3. Leave blank if desk assignments should not grant physical access
How it works:
  • When a desk is added to a customer’s contract, they receive access to the mapped policies
  • Access is granted when the contract starts and revoked when it ends
  • Team billing support: If a customer uses team billing (merged billing), they also receive access to desks included in the paying member’s contracts
Example mapping:
Desk access is based on contract assignments, not direct desk bookings. Customers must have the desk included in an active contract to receive access. Ad-hoc desk bookings (if using desk booking) do not automatically grant UniFi Access access.

Step 7: Save Configuration

  1. Review all mappings to ensure they’re correct
  2. Verify policy names match exactly with your UniFi Access system
  3. Click Save to apply the configuration
  4. Nexudus will immediately start provisioning access for customers based on the new mappings

How Access is Managed

When Access is Granted

Nexudus automatically grants UniFi Access permissions when:
  1. Contract starts: Customer begins a contract on a plan → receives passes included in that plan → assigned to corresponding UniFi Access policies
  2. Pass activated: Customer receives a pass directly (not via a contract) → assigned to the mapped UniFi Access policies
  3. Check-in created: Customer checks in with a time pass → maintains access to pass policies for the duration of the check-in session
  4. Booking created: Customer books a resource → granted access to resource’s policies 15 minutes before booking start time
  5. Booking guest added: Customer is added as a guest on a booking → granted access to resource’s policies during the booking window
  6. Desk added to contract: Desk is added to an active contract → customer receives access to the desk’s mapped policies
  7. Team member access: Paying member’s team receives access to all policies from paying member’s passes and desks
  8. Shared passes: Team members receive access from shared passes of their paying member

When Access is Revoked

Nexudus automatically revokes UniFi Access permissions when:
  1. Contract ends or cancelled: Customer loses passes from that contract → removed from corresponding UniFi Access policies
  2. Pass expires: Pass validity ends or usage is consumed → removed from mapped UniFi Access policies
  3. Check-in ends: Customer checks out or check-in session expires → pass-based access is re-evaluated
  4. Booking ends or cancelled: Booking time expires or is cancelled → access to resource’s policies is removed
  5. Booking guest removed: Customer is removed as a guest from a booking → access to resource’s policies is revoked
  6. Desk removed from contract: Desk is removed from contract → access to desk’s policies is revoked
  7. Customer deactivated: Customer account is deactivated → all UniFi Access permissions removed

Access Update Timing

  • Immediate updates: Contract changes, pass assignments, and customer deactivations trigger access updates within seconds
  • Booking lead time: Booking access is granted 15 minutes before the booking start time
  • Background processing: Access updates are queued in background jobs to handle high volumes efficiently
  • Distributed locking: Prevents concurrent updates to the same customer across multiple servers
  • Debouncing: 5-second debounce prevents rapid repeated updates for the same customer
  • Automatic retries: Failed updates are automatically retried with exponential backoff
If a customer should have access but doesn’t, the system automatically retries access provisioning up to 5 times. Check the Business Checkup page for any integration errors.

Credential Management

UniFi Access supports multiple credential types that customers can use to unlock doors. You can configure which types are enabled for your integration.

NFC Cards

To assign NFC access cards to customers:
  1. Go to Operations > Customers
  2. Select the customer
  3. In their profile, enter card IDs in the Access Card ID field
  4. Separate multiple cards with commas: 1234567890,0987654321,1122334455
  5. Save the customer profile
Card behavior:
  • No card: User exists in UniFi Access but cannot unlock doors with a physical card
  • Card assigned: Customer can use NFC card to unlock doors
  • Card removed: Physical access via that card is revoked (user remains in system)
  • Multiple cards: Customer can have multiple cards assigned simultaneously
Card format:
  • Card IDs must match the format used by your UniFi Access system
  • Common formats include: Facility Code + Card Number, or raw card number
  • Cards can be identified by their Display ID or Alias in UniFi Access
  • The integration searches for matching cards by both fields
Cards must first exist in your UniFi Access system (either enrolled manually or automatically detected by readers). Nexudus assigns existing cards to users but does not create new card records.

PIN Codes

If you enable Set PIN based on customer Pincode, customers can unlock doors using a PIN:
  1. Go to Operations > Customers
  2. Select the customer
  3. Enter a PIN in the Access Pincode field (at least 4 digits)
  4. Save the customer profile
PIN behavior:
  • Only the first 4 digits are synchronized to UniFi Access
  • PINs are updated automatically when changed in Nexudus
  • If the pincode is shorter than 4 digits or cleared, the UniFi Access PIN is removed
  • PINs only work if your door readers support PIN entry

Mobile App (UniFi Identity)

If you enable Send UniFi Identity invite email, customers can use the UniFi Identity mobile app:
  1. When a new user is created in UniFi Access, they automatically receive an email invitation
  2. The customer downloads the UniFi Identity app (iOS/Android)
  3. They follow the setup instructions in the invitation email
  4. Once configured, they can unlock doors using their smartphone via Bluetooth or QR code
Mobile app requirements:
  • UniFi Identity service must be enabled in your UniFi Access system
  • Email settings must be configured in UniFi Access
  • Customers need a smartphone with Bluetooth or camera (for QR code)
  • Readers must support Bluetooth or QR code unlock
Mobile app invitations are sent by UniFi Access, not Nexudus. Ensure your UniFi Access email configuration is working before enabling this feature.

Remote Door Unlock

Customers can unlock doors remotely through the Nexudus Members Passport App without needing to be physically present at the door.

How It Works

  1. Customer logs in to the Members Portal (web or mobile app)
  2. Views available doors - Only doors they have permission to access are shown
  3. Selects a door and taps “Unlock”
  4. Door unlocks immediately - The system triggers the UniFi Access door controller to unlock
  5. Confirmation displayed - Customer sees success or error message

Requirements

  • Customer must have active access permissions to the door (via passes, bookings, or desk assignments)
  • Customer must be logged in to the Members Portal
  • The door must be online and reachable by UniFi Access controllers
  • Network Bridge must be running and connected

Access Verification

Before unlocking a door, the system verifies:
  • The customer has at least one access policy that grants access to the requested door
  • The customer’s account is active
  • The door exists in the customer’s list of accessible doors
If verification fails, the unlock request is denied with an “Access Denied” message.

Use Cases

  • Letting in deliveries: Customer can unlock the front door for a delivery person without leaving their desk
  • Early arrival: Customer can unlock doors before physically arriving at the space
  • Remote assistance: Staff can help customers who are locked out by unlocking doors remotely
  • Guest access: Customer can unlock doors for guests they’re expecting
Remote unlock requires the same permissions as physical access. Customers can only unlock doors they would be able to access with their NFC card, PIN, or mobile app.
Remote unlock bypasses physical presence verification. Consider your security policies when enabling this feature. Doors unlock immediately without requiring the customer to be at the door location.

Troubleshooting

Possible causes:
  1. Pass not mapped: The passes included in the customer’s plan are not mapped to any UniFi Access policies
    • Solution: Go to Settings > Integrations > UniFi Access and select policies for the relevant passes
  2. Policy no longer exists: The selected policy was deleted from UniFi Access
    • Solution: Select a different policy or recreate the policy in UniFi Access, then refresh the integration
  3. Pass expired or inactive: The customer’s pass has expired or hasn’t started yet
    • Solution: Check the customer’s passes under their profile to verify validity windows
  4. User not created: The customer wasn’t created in UniFi Access
    • Solution: Check the Business Checkup page for integration errors, or manually trigger an update by editing and saving the customer’s profile
  5. Policy permissions: The UniFi Access policy exists but isn’t assigned to any doors/resources
    • Solution: In UniFi Access, verify the policy includes the correct doors and resources
  6. No credentials assigned: Customer exists in UniFi Access but has no credentials (NFC card, PIN, or mobile app)
    • Solution: Assign an NFC card in the customer’s Access Card ID field, or enable PIN/mobile app features
  7. Network connectivity: Nexudus cannot reach your UniFi Access system
    • Solution: Check Network Bridge status, verify the bridge is running and connected
  8. Customer inactive: Customer account is deactivated in Nexudus
    • Solution: UniFi Access automatically deactivates users when their customer account is inactive. Reactivate the customer in Nexudus.
  9. Access signature unchanged: Recent changes haven’t triggered an update
    • Solution: Edit and save the customer’s profile to force a synchronization
Possible causes:
  1. Resource not mapped: The booked resource is not mapped to any UniFi Access policies
    • Solution: Select policies for the resource in Settings > Integrations > UniFi Access
  2. Booking too far in future: Access is only granted 15 minutes before booking start time
    • Solution: Wait until booking is within 15 minutes of start time
  3. Booking not confirmed: Some resources require booking confirmation
    • Solution: Confirm the booking if it’s in pending state
  4. No credentials assigned: Customer has no credentials to use (no card, PIN, or mobile app)
    • Solution: Assign at least one credential type to the customer’s profile
  5. Booking cancelled: Access is immediately removed when bookings are cancelled
    • Solution: Verify the booking is still active and not cancelled
Possible causes:
  1. Card doesn’t exist in UniFi Access: Card must be enrolled in UniFi Access first
    • Solution: Either manually enroll the card in UniFi Access, or present it to a reader to auto-enroll (if enabled)
  2. Card ID format mismatch: Card ID entered in Nexudus doesn’t match the Display ID or Alias in UniFi Access
    • Solution: Check the card’s Display ID and Alias in UniFi Access, and use the exact format in the customer’s Access Card ID field
  3. Card not synced: Recent card changes haven’t been synced to UniFi Access
    • Solution: Wait a few minutes for sync, or manually trigger by editing and saving the customer profile
  4. Card already assigned: The card is assigned to a different user in UniFi Access
    • Solution: Remove the card from the other user in UniFi Access first, or use a different card
  5. User inactive: Customer’s user account is inactive in UniFi Access (due to no active passes/contracts)
    • Solution: Verify customer has active passes or contracts that grant access
  6. Reader issue: Physical hardware problem
    • Solution: Test cards on different readers to isolate hardware issues
Possible causes:
  1. Network Bridge not running: The bridge agent is offline or not configured
    • Solution: Verify the Bridge Agent is running on your local network and shows as connected
  2. Bridge not pointing to UniFi Access: Bridge is configured but not forwarding to the correct endpoint
    • Solution: Check the bridge configuration — it should point to https://[controller-ip]:12445
  3. Invalid API key: API key is incorrect or expired
    • Solution: Generate a new API key in UniFi Access and update the integration settings
  4. API access disabled: The UniFi Access API is not enabled
    • Solution: Enable API access in your UniFi Access controller settings
  5. Incorrect device ID: Bridge device ID entered in integration settings doesn’t match registered bridge
    • Solution: Verify the device ID matches the one from your Network Bridge installation
  6. SSL certificate issues: Certificate validation failing
    • Solution: Ensure the UniFi Access controller has valid SSL certificates
  7. UniFi Access service not running: The access control service is offline
    • Solution: Restart the UniFi Access application or controller
  8. Network firewall: Local firewall blocking bridge agent from reaching UniFi Access API
    • Solution: Ensure the computer running the bridge can access the UniFi controller on the API port
Possible causes:
  1. Policy deleted: Policy was selected but has since been deleted from UniFi Access
    • Solution: Recreate the policy in UniFi Access or select a different policy in Nexudus
  2. Stale policy list: Available policies not refreshed after changes in UniFi Access
    • Solution: Re-save your connection settings to refresh the policy list from UniFi Access
  3. API permissions: UniFi Access API user doesn’t have permission to modify user assignments
    • Solution: Ensure the API user has administrative permissions in UniFi Access
  4. Background job delay: Updates are queued but not yet processed
    • Solution: Wait a few minutes for background jobs to process
  5. Debounce delay: Multiple rapid changes are being debounced
    • Solution: Wait 5 seconds after the last change for the update to process
  6. Distributed lock contention: Another server is updating the same customer
    • Solution: Wait for the other update to complete (usually a few seconds)
Possible causes:
  1. Feature not enabled: PIN code sync feature is disabled
    • Solution: Enable “Set PIN based on customer Pincode” in integration settings
  2. PIN too short: PIN code in customer profile is less than 4 digits
    • Solution: Enter a PIN with at least 4 digits (only first 4 are used)
  3. Reader doesn’t support PIN: Door readers don’t have PIN entry capability
    • Solution: Verify your UniFi Access readers support PIN entry, or use NFC cards instead
  4. User not created: Customer doesn’t exist in UniFi Access yet
    • Solution: Ensure customer has active passes or contracts that create them in UniFi Access
Possible causes:
  1. Feature not enabled: UniFi Identity invite feature is disabled
    • Solution: Enable “Send UniFi Identity invite email to new customers” in integration settings
  2. Email not configured: UniFi Access email settings are not configured or invalid
    • Solution: Configure SMTP settings in your UniFi Access controller
  3. User already exists: Invites are only sent for newly created users
    • Solution: Manually send an invite from the UniFi Access console for existing users
  4. UniFi Identity disabled: UniFi Identity service is not enabled in UniFi Access
    • Solution: Enable the UniFi Identity service in your UniFi Access settings
  5. Spam filter: Invitation email was caught by spam filter
    • Solution: Check customer’s spam/junk folder, or whitelist UniFi Access email address
Possible causes:
  1. Customer lacks access permissions: Customer doesn’t have an active pass, booking, or desk assignment that grants access to the door
    • Solution: Verify customer has active passes or bookings that map to access policies including the door
  2. Door offline: UniFi Access controller or door reader is offline
    • Solution: Check UniFi Access controller status and verify door controllers are online
  3. Network Bridge down: Bridge agent is not running or not connected
    • Solution: Verify Network Bridge status and restart if necessary
  4. Door not in access policy: The door isn’t included in any of the customer’s access policies
    • Solution: Check the access policy configuration in UniFi Access and ensure the door is added to relevant policies
  5. Customer account inactive: Customer’s Nexudus account is deactivated
    • Solution: Reactivate the customer account in Nexudus
  6. Door ID mismatch: The door ID in the unlock request doesn’t match any doors in UniFi Access
    • Solution: This is typically a system issue; contact Nexudus support if persists
  7. API permissions: UniFi Access API user doesn’t have permission to unlock doors
    • Solution: Verify the API user has administrative permissions in UniFi Access

Monitoring Integration Errors

Nexudus monitors your access control integration and alerts you to any issues that need attention.

Business Checkup Dashboard

Access control integration errors are displayed on the Business Checkup page:
  1. Go to Home > Important Items in the dashboard, or
  2. Navigate directly to dashboard.nexudus.com/dashboards/checkup
  3. Look for the Access Control Integration tile
  4. If there are errors, the tile will be displayed in red

What Gets Flagged

  • Authentication failures: Invalid API key or connection errors
  • Provisioning errors: Failed attempts to create or update customer access
  • Configuration issues: Missing or invalid policy mappings
  • Network connectivity: Connection timeouts or unreachable bridge
  • API errors: Errors returned by the UniFi Access API
Each error includes:
  • The customer affected
  • The nature of the problem
  • When the error occurred
  • Suggested actions to resolve it
Nexudus automatically retries failed operations up to 5 times with exponential backoff (15-second delays). If errors persist after retries, they appear on the Business Checkup page.

Security Considerations

Data Shared with UniFi Access

When provisioning access, Nexudus shares the following information with UniFi Access:
  • Customer data: First name, last name, email address
  • Employee number: Nexudus customer ID (stored in the Employee Number field for reference)
  • NFC cards: Card tokens from the Access Card ID field (assigned to user)
  • PIN codes: First 4 digits of Access Pincode (if PIN sync enabled)
Nexudus does not share:
  • Phone numbers
  • Billing information
  • Payment details
  • Contract specifics (only policy assignments)
  • Personal notes or custom fields

Network Security

  • HTTPS encryption: All communication uses HTTPS (SSL/TLS)
  • Bearer token authentication: Secure API authentication using API keys
  • On-premises control: Your UniFi Access system remains on your local network
  • Network Bridge security: All traffic is encrypted through secure tunnel with no inbound firewall ports required
  • No port forwarding: Unlike direct API access, the Network Bridge eliminates the need for exposing your network
The Network Bridge is required for UniFi Access integration and provides enhanced security by creating an outbound-only encrypted tunnel. See the Network Bridge documentation for complete security details.

Credential Management

  • NFC cards: Managed in both Nexudus and UniFi Access; always assign through Nexudus
  • PIN codes: Synced from Nexudus to UniFi Access when feature is enabled
  • Mobile app: Provisioned by UniFi Access after Nexudus creates the user
  • Credential isolation: Customers can only access doors permitted by their assigned policies
  • Automatic deactivation: Credentials become inactive when customer account is deactivated

Privacy Considerations

  • Customer data is only sent to your on-premises UniFi Access system (not to external services)
  • Access logs remain in your UniFi Access system under your control
  • Mobile app invitations are sent by your UniFi Access system using your SMTP settings
  • No customer data is shared with Ubiquiti cloud services without your explicit configuration

Best Practices

Policy Organization

  • Create granular policies: Use separate policies for different access levels (24/7 vs business hours, full access vs meeting rooms only)
  • Use descriptive names: Name policies clearly (e.g., “24/7 Full Building”, “Business Hours Meeting Rooms”)
  • Test before production: Create test passes and verify door access before rolling out to customers
  • Document mappings: Keep a record of which passes/resources map to which policies

Credential Management

  • Prefer mobile app: Enable UniFi Identity invites for a better customer experience (no physical cards to manage)
  • Use consistent card IDs: Establish a standard format for entering card IDs (Display ID vs Alias)
  • PIN codes for convenience: Enable PIN sync for customers who need quick access without carrying cards
  • Multiple credentials: Assign both card and PIN as backup options

Access Policy Design

  • Group similar permissions: Create policies that group doors customers need together (avoid creating a policy per door)
  • Separate by time: Use different policies for 24/7 access vs business hours (managed in UniFi Access policy schedules)
  • Balance security and convenience: Don’t grant more access than necessary, but avoid creating too many complex policies

Booking Access

  • 15-minute buffer: Remember that booking access starts 15 minutes early — consider this when booking back-to-back resources
  • Clear policy naming: Make it obvious which resources require which access (helps when troubleshooting)
  • Test guest access: Verify booking guests receive proper access during their booking windows

Team Billing

  • Consistent desk policies: Ensure all desks used by a team have the same access policies
  • Test paying member access: Verify team members receive all access from the paying member’s passes and desks
  • Document team access: Make it clear in your plans which desks/passes grant which access

Monitoring

  • Check Business Checkup regularly: Review integration errors at least weekly
  • Test new configurations: When adding new passes/resources, test with a test customer first
  • Monitor UniFi Access logs: Check UniFi Access audit logs for denied access attempts
  • Keep bridge running: Ensure the Network Bridge agent runs as a Windows service for reliability
Always test access changes with a test customer before applying to production. Create a test pass, assign it to a test customer, and verify they can unlock the expected doors.

Additional Resources

For additional support with the UniFi Access integration, contact Nexudus support at support@nexudus.com or through the dashboard help widget.