Access devices (QR)

Supported scanning solutions and setup steps for QR access validation in Settings.

What this section is for

Use Settings -> Access devices (QR) to register and manage the scanners or gates that are allowed to validate member entrance QR codes.

Each scanner gets a unique deviceId and deviceKey. Only active devices with valid credentials can validate access tokens.

Supported scanning solutions

Sessy supports scanning solutions that can perform an HTTPS POST request to the validation endpoint.

Supported today

Scanner apps or custom scanner software on phone/tablet/computer
QR-capable gate/turnstile controllers with HTTP(S) integration
Middleware or automation platforms that can call an HTTP endpoint

Required capabilities

Your solution must be able to:

Read the QR token value from the member app
Send a POST request to the validateUrl
Send headers:
- x-access-device-id
- x-access-device-key
Send JSON body with at least:
- token

No extra body fields are required for the standard setup.

Verified out-of-the-box examples (no middleware)

Below are reference combinations we validated against Sessy requirements.

iOS

Hardware: iPhone or iPad with camera
App: Apple Shortcuts (free, built-in)
Why this works: Shortcuts can scan a QR value and send a direct HTTP request to validateUrl with method/body options.

Android

Hardware: Android phone or tablet with camera and Google Play services
App: Automate (LlamaLab)
Why this works: Automate provides a barcode scan block and an HTTP request block with request headers/body.

Android handheld scanners

Hardware example: Zebra TC21/TC26
App: Automate (LlamaLab)
Why this works: TC21/TC26 provides camera-based barcode capture and runs Android apps.

Not out-of-the-box

Kisi and similar closed access ecosystems: Not out-of-the-box for this Sessy endpoint unless the setup can send custom headers (x-access-device-id, x-access-device-key) and JSON body directly.
If a product cannot send those fields directly, use middleware or a custom app layer.

How we verified compatibility

We only list solutions that match the required protocol capabilities:

QR value capture (scan)
HTTP POST support
Custom request headers support
JSON request body support

Documentation-verified hardware shortlist (not certified)

The list below is based on publicly available product documentation and is intended as a practical starting point for non-technical gyms.

It is not a certification list.

Rating guide

Installer complexity: Low / Medium / High (relative effort for a typical installer)
Subscription risk:
- None: hardware can run in local/API mode without mandatory cloud subscription
- Optional cloud: cloud platform may be offered but not strictly required for API-based setup
- Required cloud: vendor cloud is required for normal operation

A) QR terminal/controller shortlist (calls Sessy + controls relay)

Model	Documentation signals relevant to Sessy integration	Typical EU price band*	Installer complexity	Subscription risk
Civintec CT9 PRO	Vendor FAQ/product pages indicate HTTP/HTTPS support, QR scanning, online/offline mode, and embedded relay for lock/turnstile control.	€650-€1,200	Medium	Optional cloud
Civintec CT9 E	Vendor FAQ indicates HTTP/HTTPS support, QR scanning, online/offline mode, and embedded relay for lock/turnstile control.	€500-€950	Medium	Optional cloud
Civintec uTouch X	Product/news pages indicate open SDK/API positioning, relay output, TCP/IP/Wi-Fi/4G, and external device control options.	€700-€1,350	Medium-High	Optional cloud

B) Lock hardware shortlist (works from relay output, no app subscription)

Model	Why it is practical	Typical EU price band*	Installer complexity	Subscription risk
SECO-LARM E-941SA-600 (maglock)	12/24V maglock form factor commonly used with access relays; straightforward for single-door entrances.	€45-€120	Medium	None
SECO-LARM SD-995C-D3Q (electric strike)	12/24V fail-safe/fail-secure electric strike option; practical retrofit path for many doors.	€70-€180	Medium	None
ASSA ABLOY effeff 138 series (electric strike)	12V/24V options and fail-locked/fail-unlocked variants on EU channel; common installer familiarity.	€80-€220	Medium	None

C) Turnstile/gate shortlist (triggered by access controller input)

Model	Documentation signals relevant to Sessy integration	Typical EU price band*	Installer complexity	Subscription risk
ZKTeco TS1000 Pro Series	Pro series documentation/manual channel indicates integration with access control readers/controllers and dry-contact style control input in this family.	€700-€1,400	Medium-High	None
ZKTeco TS2000 Pro Series	Manual/product channel indicates single-lane tripod turnstile line used with access control controller input (dry-contact style in family manuals).	€900-€1,900	Medium-High	None
ZKTeco TS2200 Series	Product/manual channel positions it as integrated with access control readers/controllers for entrance control.	€1,000-€2,100	Medium-High	None

Low-friction starter bundles for non-technical customers

Single-door starter (lowest friction)
- CT9 E + electric strike (SD-995C class) + 12/24V PSU
- Best for studios with one entrance door
Turnstile starter (higher traffic)
- CT9 PRO + TS1000/TS2000 class tripod turnstile
- Best for gyms that want one-way controlled entry flow

* Price ranges are indicative only (excl. installer labor, wiring, PSU, and VAT unless explicitly included by seller) and based on distributor listings plus quote-based channels in EU markets; exact pricing depends on region, options, lead time, and installer package.

Reference docs:

Apple Shortcuts API requests (Get Contents of URL): https://support.apple.com/guide/shortcuts/request-your-first-api-apd58d46713f/ios
Automate barcode scanning: https://llamalab.com/automate/doc/block/barcode_scan.html
Automate HTTP request headers/body: https://llamalab.com/automate/doc/block/http_request.html
Zebra TC21/TC26 camera/device specs: https://www.zebra.com/us/en/products/spec-sheets/mobile-computers/handheld/tc21-tc26.html
Civintec CT9 PRO terminal page: https://www.civintec.com/ct9pro-access-control-terminal
Civintec CT9 PRO FAQ/product page: https://www.civintec.com/shop/ct9pro-mobile-access-door-entry-system
Civintec CT9 E FAQ: https://www.civintec.com/index.php?c=category&id=42
Civintec uTouch X terminal page: https://www.civintec.com/utouch-x-time-and-attendance-terminal
SECO-LARM E-941SA-600: https://www.seco-larm.com/product/e-941sa-600pq/
SECO-LARM SD-995C: https://www.seco-larm.com/product/sd-995c/
ASSA ABLOY effeff 138 series: https://www.abloy.com/gb/en/products/wired-locking/electric-strikes/standard/electric-strike-138-series
ZKTeco TS1000 Pro series: https://zkteco.eu/products/entrance-control/pedestrian-product/tripod-turnstile/ts1000-pro-series
ZKTeco TS2000 Pro series: https://zkteco.eu/products/entrance-control/pedestrian-product/tripod-turnstile/ts2000-pro-series
ZKTeco TS2200: https://zkteco.eu/products/entrance-control/pedestrian-product/tripod-turnstile/ts2200

Recommendation: always run a real pilot test at the entrance before going live (lighting, scan distance, network quality, mount position, and user flow can affect reliability).

Not supported (current scope)

Offline validation without internet connection
NFC-based member entrance validation (planned for a future phase)

Setup steps in Settings

Open Settings -> Access devices (QR)
Enter a device name (for example: Front Door Scanner)
Click Register
Save the shown credentials immediately:
- deviceId
- deviceKey (shown once)
- validateUrl
Configure your scanner/gate with these credentials
Keep the device active using the toggle in the device list

Validate your integration

In the same section you can use Validation endpoint tester:

Paste a scanned token
Enter deviceId and deviceKey
Click Run validation test
Check HTTP status and response body (allow and code)

iOS Shortcuts: complete test flow (with clear result output)

Use this if you want a practical scanner-like test on iPhone/iPad and a clean “allow/deny” result screen.

Before you start

Store these values from Settings -> Access devices (QR):

validateUrl
deviceId
deviceKey

Also make sure the member has a fresh QR token in the member app.

Build the shortcut

Create a new Shortcut, then add these actions in order:

Scan QR/Barcode
- This returns the token as text.
- Optional fallback: add Ask for Input (text) if you want to paste a token manually.
Text (JSON body)
- Set text to:
  1
  {"token":"[Scanned QR/Barcode]"}
- Insert the output variable from step 1.
Get Contents of URL
- URL: validateUrl
- Method: POST
- Request Body: JSON
- Headers:
  - Content-Type = application/json
  - x-access-device-id = your deviceId
  - x-access-device-key = your deviceKey
- Request Body value: output of step 2
Get Dictionary Value -> key allow
- Save as variable allow
Get Dictionary Value -> key code
- Save as variable code
Get Dictionary Value -> key locationId
- Save as variable locationId (optional display)

If (allow is true)

Add Text:

1
2
3
Access: ALLOW
Code: [code]
Location: [locationId]

Add Show Result

Otherwise
- Add Text:
  1 2
  Access: DENY Code: [code]
- Add Show Result

Optional: show the full JSON response for debugging

If you want to inspect all fields:

Right after Get Contents of URL, add Quick Look (or Show Result) for raw output.
Keep the allow/deny summary flow above for normal use.

Practical tips

QR tokens are short-lived, so scan/use quickly.
If tests fail unexpectedly, first verify device is active and linked locations are correct.
For same-phone testing (member app and scanner test on one device), pasting the token can be easier than camera scanning.

Monitor and operate

Use Recent access attempts to monitor successful and denied scans.

Recommended operational flow:

If a scanner is lost or compromised, disable it immediately
Register a new device and update the scanner credentials
Do not share device keys in public channels

Documentation