Skip to main content

Offline support

Should your space lose internet access, Kisi supports three fallback mechanisms for unlocking doors or elevators:

  1. Offline cache on the Kisi reader: with offline caching for credentials, Kisi allows users to unlock doors even without internet connectivity.
  2. Offline cache on the Kisi controller: similar to 1., but designed to work with legacy readers connected to Kisi controllers
  3. Offline cache on the phone: with mobile data enabled on your phone, the Kisi reader will receive a certificate from your phone through Bluetooth or NFC to unlock the door.

Offline cache on the Kisi reader

With offline cache (also "edge cache") on the reader, access rights are cached on Kisi readers based on recent usage patterns. The Kisi reader will use these cached access rights before attempting to call the Kisi cloud. If the user is in the cache, an internet connection is not required. Currently, a reader's offline cache can cover internet outages for up to 36 hours, but this will be increased in future updates.


  • Kisi Reader with the user(s) in its cache
  • An up-to-date version of the Kisi app on the user's phone

An important technical detail for integration partners: The Kisi app will request a user-identifying certificate from the API and automatically renew it at regular intervals. It remains valid for a minimum of 14 days upon renewal.

Key features

  • Fully encrypted and authenticated offline support for both cards and phones, simultaneously assuring the confidentiality and authenticity of access rights.
  • High memory and bandwidth efficiency, caching up to 1000 access rights and up to 250 groups in less than 0.2 megabytes
  • Near real-time updates of changed credentials by synchronizing with the reader cache within minutes.
  • Fully supported on Wiegand-enabled third-party readers

Networking protocols

Kisi controllers and readers will send messages over the local network using the User Datagram Protocol (UDP) port 62435 for accessing doors, updating the state and more.

  • Offline cache is always active, whether the reader is online or offline.
  • Offline cache works with both Wi-Fi and Ethernet connections, as long as the controllers and readers are on the same network. To verify that controllers and readers that share the same doors are on the same network, note their IP addresses and subnet masks. Calculate the network prefix of the IP addresses. For the devices to be on the same network, the prefixes must be identical.

Supported unlock methods

Status indicators

When no interaction is ongoing:

  • Blue (Reader Pro 1.0) / White (Reader Pro 2.0): the reader is ready to process an unlock (whether connected to the internet or not)
  • Red: the reader is offline and cannot reach the controller

When an access attempt is ongoing:

  • Blinking red: the credential presented cannot be authorized, either because the user does not have access (when the device is online), or because the user is not in the offline cache (when the device is offline)
  • Green: access granted

Offline cache for third-party readers

In the landlord scenario with mobile and physical credentials, access rights are cached on the Kisi controller, allowing offline access. Following the approach of the Kisi reader, a Kisi controller's offline cache is built based on recent usage patterns. The Kisi controller will use these cached access rights before sending an unlock request to the legacy controller.

In this scenario, offline cache only covers unlocks with physical credentials.

Offline cache on the phone

  • Offline cache on the phone works in parallel with the offline cache on the Kisi reader.
  • If at least one of the offline caches grants access, offline access is possible.
  • Offline cache on the phone does not work with third-party readers, as these cannot communicate with Kisi's mobile apps.

When the Kisi controller is unable to re-establish an internet connection for five minutes, it goes into offline mode. In offline mode, the Kisi controller, via the Kisi reader, receives authenticated unlock requests from the Kisi app on the user's phone to authenticate with Kisi and unlock a door. This requires the phone to be online, as it needs to request an extended user-identifying certificate from the Kisi API. This certificate includes access permissions for the assigned door or elevator, and is valid for a short duration only, typically a few minutes. Renewal of this certificate occurs before each access attempt.


  • A Kisi Controller and a Kisi Reader, on the same network
  • 4G/5G access
  • The Kisi mobile app on the latest version