Access API (current operation)

A project log for CarontePass: Open Access Control

CarontePass is an access control designed for collaborative spaces. Ideal for Hackerspaces, Makerspace, FabLabs, Hacklabs...

torehctorehc 03/27/2016 at 16:270 Comments

Here's how it works now, now asks username and password to access the info.

But I'm already working on a version with access token and under https.

By raising the project I thought many ways to do it, but the scalability thinking I was left with the option of that clients (doors) to be as "dumb / simple" possible.

To achieve this required a part of the powerful server, so I chose Django and ... How to have N doors? How to make it cheaper-single doors possible?

The easy thing would have been to put a guy Raspberry Pi computer-door, but that was not what I wanted (if it was the easiest).

The best option I found was to make an API, which could use different technologies to clients but to run only need an Internet connection to make inquiries.

How does it work now?

A web request to the url defined in Django project is:



  1. The client (a door) NFC reader reads and gets the tag.
  2. That tag puts it in "code" and makes the previous request.
  3. The server parses the url, receives the "code" and searches the table of "devices" where all tag IDs are stored.
  4. The tag is an associated usaurio so already has the identidicación.

Here is an example:


There are a user with Tag "123456" of the NFC type. Passing this NFC reader gets the Tag creates the url and makes the web request:


For the answer we will have to authenticate:


If you have access to the API devuleve following the Django framework REST:


Responds to the request in JSON format, we parser on the client to get the data that interests us.

For example, to activate the relay to open the door should be fixed in the "result" field. If the user meets the access requirements will result "True" and the relay will be activated.

Now security is not the maximum possible from my point of view, so I'm studying how to implement HTTPS.

Other forms of access

The project leaves open the possibility to add different forms of access.

One may be for Telegram, having the only Chatid each user could search for it using the "/ open" command Bot Telegram. I like it because it is a safe and smart way to enter a space with any device that has application without any extra hardware card carry any type NFC / RFID, etc ...