Already have HID, Kisi, Salto, or Brivo? We integrate.

Frontelio ships a generic AccessIntegration model with per-provider adapters. Each adapter handles the provider-specific authentication, door discovery, and webhook signature verification — once configured, doors from the external platform appear in your admin UI alongside Frontelio-native Zones, ready to map.

Today there are four adapters: Kisi (GA), and Salto, Brivo, HID Origo (all BETA). Latch is on the roadmap. The general configuration flow is the same across all providers; only the credentials and the webhook secret rotation policy differ.

General flow

Regardless of provider, you'll follow these steps in /admin/access → Integrations:

1. Mint credentials at the provider. Each one has its own way — API key, OAuth client, or webhook signing secret. Per-provider details below.
2. Click "Add integration"in the Frontelio UI. Pick the provider, paste the credentials, give the integration a display name (e.g. "Kisi - DIFC HQ").
3. Test connection. Click Test connection; we ping the provider's API and confirm credentials work.
4. Sync doors. Click Sync doors; we pull the list of doors the provider exposes for this account. You'll see them appear as "unmapped".
5. Map doors to Zones. For each external door, pick the Frontelio Zone it represents. From this point on, GRANT events from the provider flow into the Frontelio audit log tagged with the Zone.
6. Configure the webhook at the provider, using the URL + secret we generated. The provider will start POSTing access events to us in real time.

Kisi (GA)

Kisi is the most common Frontelio Access integration — cloud-native, well-documented API, and the team responds to support quickly. The adapter is GA (shipped in v1.24.0).

Credentials you need

• Kisi API key. Generate at app.getkisi.com → Account → Integrations → API keys. Choose a name like "Frontelio", give it read-doors + write-events scope, copy the key (shown once).
• Kisi organisation ID. Visible in the Kisi dashboard URL after sign-in, e.g. app.getkisi.com/organizations/12345 → ID is 12345.

Setup

1. In Frontelio: /admin/access → Integrations → Add → pick "Kisi". Paste the API key + organisation ID.
2. Copy the webhook URL and webhook secret we display.
3. In Kisi: Account → Webhooks → New webhook. Paste our URL. Paste our secret as the signing secret. Select events: access.granted, access.denied.
4. Back in Frontelio, click Sync doors. You'll see the Kisi doors appear. Map each to a Frontelio Zone.

From this point on, every Kisi tap shows up in /admin/access → Audit alongside your native phone-tap events.

Salto (BETA)

Salto KS / Salto Space are common in higher-end UAE hospitality and serviced offices. The adapter handles both — Salto's unified API exposes them through one endpoint.

Credentials you need

• Salto OAuth client ID and secret.Request from your Salto reseller — they need to enable "3rd-party integration" on your account. The credentials are an OAuth 2.0 client-credentials grant; we exchange them for a short-lived access token on every call.
• Site ID.Salto exposes one OAuth client per installation; if you have multiple sites you'll need a separate integration row in Frontelio per site.

Setup

1. In Frontelio: /admin/access → Integrations → Add → pick "Salto". Paste OAuth client ID, secret, site ID.
2. Configure the webhook in Salto. Salto's webhook UI lives at portal.saltoks.com → Integrations → Webhooks. Paste our URL and secret.
3. Sync doors; map to Zones. Same flow as Kisi.

Brivo (BETA)

Brivo OnAir is a US-rooted access platform with a presence in UAE retail and offices. The adapter is BETA.

Credentials you need

• Brivo API client ID and secret. Brivo issues these via their Developer Portal — you may need to file a ticket with Brivo support to enable third-party integration on your account.
• Brivo account ID. Visible at the top of every page in OnAir → Account.

Setup

1. In Frontelio: /admin/access → Integrations → Add → pick "Brivo". Paste the credentials.
2. Configure the webhook in Brivo. OnAir → System → Webhooks → New. Paste our URL + secret.
3. Sync doors; map to Zones.

HID Origo (BETA)

HID Origo is HID's cloud-managed credential platform — if you're already standardized on HID readers (common in enterprise UAE), this is the integration to use.

Credentials you need

• HID Origo organisation ID + API key. Issued via your HID partner account. HID treats the key as confidential; we store it AES-encrypted at rest.

Setup

1. In Frontelio: /admin/access → Integrations → Add → pick "HID Origo". Paste credentials.
2. Configure the webhook in HID Origo. The webhook URL lives at portal.hidglobal.com/origo → Integrations.
3. Sync doors; map to Zones.

Latch — coming soon

Latch is on the roadmap (multifamily-residential UAE is a growing segment, and Latch dominates that vertical in the US). Status: design complete, awaiting Latch's 2026 API revisions before we start implementation. Expected GA: Q4 2026.

If you're a Latch operator who wants to test an early build, email us — we'll bump it up the queue.

Inbound webhook receiver

Every integration in Frontelio exposes a unique inbound webhook URL. The contract:

POST https://api.frontelio.com/api/v1/access/webhooks/integ_abc123
Content-Type: application/json
X-Signature: hex-encoded HMAC-SHA256 of the raw body, keyed by
             the integration's webhookSecret

{
  ...provider-specific event payload...
}

We verify the signature first. On signature mismatch we drop the event and return 200 (we don't want to leak whether the integration exists to a probing attacker). On signature match we delegate to the adapter's parseWebhook method, which normalises the provider event into our internal AccessEvent shape and writes it to the audit log.

Next steps

• For greenfield deployments without existing readers, see the Reader bridge deployment guide.
• For wiring access events into your own systems, subscribe to webhook events at /admin/settings → Webhooks — separate from these inbound integrations.
• For everything else access-related, the /access API reference is the source of truth for the runtime endpoints.