# EntryBit > EntryBit (entrybit.net) is a cloud-managed physical access-control platform (SaaS) for businesses: door controllers and readers, real-time access-event monitoring (under 50 ms from badge tap to alert), visitor management, biometrics and 40+ integrations. Subscription cloud software paired with EntryBit hardware, installed by independent certified contractors. Notes for agents: - The site is bilingual: English at `/`, Hebrew at `/he-il/` with identical paths (e.g. `/he-il/pricing/`). - Canonical URLs always end with a trailing slash. - The legal documents' canonical text is currently Hebrew; English translations are pending. - Machine-readable sitemap: [sitemap-index.xml](https://entrybit.net/sitemap-index.xml). - Developer docs: every page is available as raw Markdown by appending `.md` to its URL (e.g. `https://entrybit.net/docs/oauth/token.md`). Full concatenated docs: [llms-full.txt](https://entrybit.net/llms-full.txt). OpenAPI 3.1 spec: [openapi.json](https://entrybit.net/openapi.json). ## Product - [Features](https://entrybit.net/features/): Platform capabilities — real-time event streaming, cloud dashboard, offline-first controllers, remote firmware updates. - [Pricing](https://entrybit.net/pricing/): Subscription plans (1/3/5/10-year terms) and volume pricing. - [Solutions](https://entrybit.net/solutions/): By department — reception & visitor management, sales, IT (SCIM 2.0 / SAML SSO), finance & audit. - [Integrations](https://entrybit.net/integrations/): Entra ID, Okta, Slack, Google Calendar, Microsoft Teams, PagerDuty, SendGrid, webhooks and a documented REST API. - [Security](https://entrybit.net/security/): AES-256 at rest, TLS 1.3 in transit, hash-chained audit logs, compliance practices. - [Credentials](https://entrybit.net/credentials/): Supported credential types — cards, PIN codes, mobile and biometrics. ## Company - [About](https://entrybit.net/about/): Who builds EntryBit and why. - [Careers](https://entrybit.net/careers/): Working at EntryBit — no open roles right now; when hiring resumes, roles are published there first. - [Contact](https://entrybit.net/contact/): Get in touch with sales or the team. - [Support](https://entrybit.net/support/): Customer support channels. - [FAQ](https://entrybit.net/faq/): Hardware compatibility, free trial, offline behavior, encryption, volume pricing. ## Developer docs EntryBit is an OAuth 2.0 / OpenID Connect provider with a Bearer-token REST API for guest passes and organization API keys. Start at [Introduction](https://entrybit.net/docs/get-started/introduction/). OpenAPI 3.1: [openapi.json](https://entrybit.net/openapi.json). ### Get started - [Introduction](https://entrybit.net/docs/get-started/introduction/): The EntryBit API lets your app sign users in with EntryBit, issue and manage guest passes, and integrate your backend — over OAuth 2.0 / OpenID Connect and a Bearer-token REST API. - [Authentication](https://entrybit.net/docs/get-started/authentication/): OAuth 2.0 signs in users; API keys authenticate servers. Which credential to use, what each looks like, and the one rule that keeps your secret key safe. - [Quickstart: Sign in with EntryBit](https://entrybit.net/docs/get-started/quickstart-react-native/): Add Sign in with EntryBit to a React Native (Expo) app in minutes — register a public client, run the PKCE flow with expo-auth-session, exchange the code, and call the API. ### OAuth 2.0 & OpenID Connect - [OAuth 2.0 & OpenID Connect](https://entrybit.net/docs/oauth/overview/): EntryBit is a full OAuth 2.0 authorization server and OpenID Connect provider — authorization-code flow with PKCE (S256) required for every client. The model, the flow, and the tokens you get. - [Register an app](https://entrybit.net/docs/oauth/register-an-app/): Self-service OAuth client registration in Settings → Team → OAuth apps: public vs confidential clients, the redirect-URI rules, post-logout URIs, scopes, and the one-time client secret. - [Scopes](https://entrybit.net/docs/oauth/scopes/): The permissions a token carries. User-consent scopes (openid, profile, email, offline_access, passes:*, invites:read) for OAuth apps, and org:* scopes for organization API keys. - [Authorize endpoint](https://entrybit.net/docs/oauth/authorize/): GET /api/oauth/authorize — begin the authorization-code flow. Parameters, the iss response parameter (RFC 9207), prompt and max_age, error redirects, and the open-redirect guard. - [Token endpoint](https://entrybit.net/docs/oauth/token/): POST /api/oauth/token — exchange an authorization code for tokens, or refresh them. Both grants, the request and response shapes, refresh-token rotation, and family revocation on replay. - [ID token & UserInfo](https://entrybit.net/docs/oauth/id-token-userinfo/): The id_token claims — including amr (how the user authenticated) and auth_time — and the UserInfo endpoint (GET|POST /api/oauth/userinfo) that returns scope-gated identity claims. - [Introspection & Revocation](https://entrybit.net/docs/oauth/introspection-revocation/): POST /api/oauth/introspect (RFC 7662, confidential clients, caller-bound) to check a token's state, and POST /api/oauth/revoke (RFC 7009) to kill a refresh-token family. Always returns 200. - [Logout](https://entrybit.net/docs/oauth/logout/): RP-initiated logout (GET|POST /api/oauth/logout) — end the user's EntryBit browser session with a verified id_token_hint, redirect to a registered post_logout_redirect_uri, and the forced-logout-CSRF defense. - [Discovery & JWKS](https://entrybit.net/docs/oauth/discovery-jwks/): The self-description documents: /.well-known/openid-configuration (OIDC Discovery + RFC 8414) and /.well-known/jwks.json (RS256 public keys). How to verify EntryBit tokens offline. ### API keys - [API keys](https://entrybit.net/docs/api-keys/overview/): Organization API keys (eb_sk_…) authenticate servers and SDKs acting as the whole organization. Org-scoped, least-privilege, shown once — and why they're stored as SHA-256, not Argon2id. - [Create & manage keys](https://entrybit.net/docs/api-keys/create-and-manage/): Mint an organization API key in Settings → API keys — name, scopes, optional expiry and IP allowlist — copy the one-time secret, and revoke keys you no longer need. Requires the org:api_keys permission. - [Authenticating requests](https://entrybit.net/docs/api-keys/authenticating/): Send an organization API key as Authorization: Bearer eb_sk_… (or X-API-Key), the 401/403 challenges you'll get, and the per-IP rate limit of 300 requests/minute. ### API reference - [Conventions](https://entrybit.net/docs/api-reference/conventions/): How the EntryBit REST API works across every endpoint: base URL, the two auth schemes, error envelopes, rate limits, and keyset pagination (limit / cursor / next_cursor / has_more / search). - [Passes](https://entrybit.net/docs/api-reference/passes/): The user-delegated guest-pass API: list, create, get, and revoke passes with an OAuth access token. Request bodies, response shapes, the passes:read / passes:write scopes, and 402 on quota. - [Invitations](https://entrybit.net/docs/api-reference/invitations/): GET /api/v1/invites — the pending organization invitations addressed to the signed-in user, matched by user id or email. Requires the invites:read scope. - [Organization API](https://entrybit.net/docs/api-reference/organization/): The key-authenticated /api/v1/org/* API for servers and SDKs acting as the whole organization: list/create/revoke any pass, and list facilities. Scopes org:passes:* and org:facilities:read. - [Errors](https://entrybit.net/docs/api-reference/errors/): The complete EntryBit error catalog: OAuth protocol codes, Bearer challenges (invalid_token / insufficient_scope), and business errors (400 / 402 / 404 / 409 / 429) — with how your app should react to each. - [Changelog](https://entrybit.net/docs/api-reference/changelog/): Dated changes to the EntryBit API — new endpoints, scopes, and behavior. Newest first. - [OpenAPI specification](https://entrybit.net/docs/api-reference/openapi/): The entire EntryBit API as a machine-readable OpenAPI 3.1 document — where to download it, and how to use it with Swagger UI, Redoc, and client-code generators. ### SDKs & tools - [Libraries & SDKs](https://entrybit.net/docs/resources/libraries/): EntryBit is a standard OAuth 2.0 / OpenID Connect provider with an OpenAPI-described REST API — so you can use a well-tested OAuth library on any platform today and generate a fully-typed API client from the spec. - [Postman & Insomnia](https://entrybit.net/docs/resources/postman/): Import EntryBit's OpenAPI spec into Postman or Insomnia for a ready-made collection of every endpoint — with request schemas, examples, and OAuth 2.0 / API-key auth pre-wired. - [LLMs & machine-readable docs](https://entrybit.net/docs/resources/tools/): EntryBit publishes its docs in LLM-friendly form: llms.txt and llms-full.txt for AI assistants, plus the raw Markdown source of every page by appending .md to its URL. ## Blog - [Access Control: How to Choose the Right System for Your Organization](https://entrybit.net/blog/choosing-the-right-access-control-system/): An access control system is far more than a door that opens with a card. Here's how to choose the right one for your organization — identification methods, integrations, cloud vs. on-premise, and what really matters before you decide. - [Why More and More Organizations Are Moving to Cloud-Based Access Control](https://entrybit.net/blog/why-organizations-move-to-cloud-access-control/): Managing access control no longer requires an on-site server and a technician for every change. These are the reasons organizations are moving to the cloud: control from anywhere, a system that keeps improving, and flexibility that grows with the organization. - [Before You Buy an Access Control System: 7 Questions Every Security Manager Should Ask](https://entrybit.net/blog/7-questions-before-buying-access-control/): An access control system is a multi-year commitment. Before you compare prices or specs, these are the seven questions that save you time, money, and hassle down the road. - [Why we built EntryBit — rethinking access control](https://entrybit.net/blog/why-we-built-entrybit/): The story behind a cloud-native take on physical access control — and why we think the category was long overdue for a rewrite. - [Scaling to 1,000 sites with zero downtime](https://entrybit.net/blog/scaling-to-1000-sites/): Cell-based architecture, blast radius containment, and offline resilience — how we scaled access control across four continents. - [Designing audit logs you can actually trust](https://entrybit.net/blog/designing-audit-logs/): How tamper-evident hash chains change incident response and what we learned implementing them in production. - [Visitor management: from lobby chaos to concierge](https://entrybit.net/blog/visitor-management-enterprise/): How modern visitor management transforms front-desk operations with pre-registration, digital NDA signing, auto-expiring badges, and lobby analytics. - [Mobile credentials: the end of the keycard](https://entrybit.net/blog/mobile-credentials/): What we learned shipping Apple Wallet and Google Wallet credentials to 50,000 users across 40 sites. - [Biometric access control and privacy: a guide](https://entrybit.net/blog/biometrics-privacy-gdpr/): A practitioner's guide to deploying face recognition and fingerprint readers while respecting biometric privacy regulations. - [Security from day one: trust baked into the stack](https://entrybit.net/blog/soc2-from-day-one/): How we built enterprise-grade security controls into our infrastructure from our first commit — and what we would do differently. - [Building real-time event streams at sub-50ms](https://entrybit.net/blog/realtime-event-streams/): A deep dive into our WebSocket architecture, back-pressure handling, and how we achieve consistent low latency. - [Hardware-agnostic access control matters](https://entrybit.net/blog/hardware-agnostic/): Why we refuse to lock customers into proprietary controllers — and what it took to support every major protocol. ## Legal - [Legal Policies](https://entrybit.net/legal/): Hub listing every legal document below. - [Accessibility Statement](https://entrybit.net/legal/accessibility/): Web/platform accessibility conformance (IS 5568 / WCAG AA), limitations and the accessibility coordinator contact. - [Account & Data Deletion Policy](https://entrybit.net/legal/deletion/): The right to erasure: how to request deletion, the step-by-step process, what is deleted vs. retained. - [Data Processing Agreement (DPA)](https://entrybit.net/legal/dpa/): Processor obligations, security measures and sub-processor terms for customer data (Hebrew canonical text). - [Privacy Policy](https://entrybit.net/legal/privacy/): What personal data is collected, how it is used and secured, and data-subject rights (Hebrew canonical text). - [Terms of Service](https://entrybit.net/legal/terms/): Binding terms for the site, platform and service (Hebrew canonical text; includes the accessibility statement and the account/data-deletion policy as sections 19-27 and 28-40). ## Optional - [Hebrew site](https://entrybit.net/he-il/): Full Hebrew mirror of every page above.