What is Tapkey

Tapkey is a cloud-based access control system allowing Users to manage access permissions to physical resources (houses, cars, delivery boxes, furniture, devices, etc.) in the cloud. Access is physically controlled via Tapkey-enabled locking devices. Each locking device belongs to exactly one Owner Account. An Owner Account typically has exactly one User who is the Owner and is allowed to manage the account's locking devices.

Permissions are stored in the Tapkey Trust Service. Owners will use a Tapkey management application, usually the Tapkey mobile application or the web-based Tapkey management portal, to manage access permissions. Access permissions are assigned to an Owner Account's Contacts, which are identified via their email addresses. Permissions can also be assigned to Access Cards which can be written using NFC-enabled smartphones.

Once a Contact was granted an access permission, Tapkey takes care of delivering the according access key to the respective User's smartphones. When the affected smartphones are online, Tapkey will issue an individual key for each smartphone, based on the permissions described in the according grant and deliver the key to the User's smartphone. The User can then use this key to access the locking device they were granted access to.

When a Grant was issued for an access card, Tapkey will generate the according key as soon as the card gets synchronized. This usually happens by tapping the card with an NFC-enabled smartphone with the Tapkey mobile application installed. Tapkey then uses the smartphone and its Internet connectivity to deliver the key directly to the access card.

Tapkey locking devices are not connected to the Internet themselves but instead indirectly use connecting smartphones' Internet connections. That implies, that Tapkey cannot push changes to affected locks live. This is of special relevance when revoking keys. If a key has been revoked, Tapkey triggers several mechanisms to invalidate it, including:

  • Push notifications are sent to relevant smartphones, requesting it to delete the according key.
  • The keys are included in affected lock's revocation lists and the revocation lists are pushed to other smartphones which will deliver them to the locks on the next contact. Once a lock receives a new revocation list, all keys listed in the list are immediately considered invalid.
  • Smartphone-based keys always have a limited lifetime and therefore expire automatically.
  • Key stored on access cards are deleted from these cards on next contact.

More information about the revocation process can be found in the descriptions of the revocation-related endpoints below.

Tapkey locking devices maintain a log about certain events like unlocking. This logs is read by smartphones on each contact with a locking device and in turn delivered to the Tapkey Trust Service. As the uplink via smartphones is potentially unreliable and might have significant latency, logs might arrive at the Tapkey Trust Service with significant delay and possibly out of order. However, even while arriving out of order, clients will still be able to display entries in correct order, based on their entry number. Nonetheless, certain entries might be missing in between and arrive at a later point in time.