Incoming webhooks API reference
Incoming ACS webhooks let your access-control system (СКУД) tell UnSpot when employees enter or leave the office. UnSpot uses these events for automatic check-in of bookings and attendance analytics. Two variants are supported: a universal JSON endpoint for any ACS, and a dedicated Sigur integration.
1. Create a connection
In Administration > Integrations, create an ACS (SCUD) connection of type JSON. You define which fields of your payload contain the data — so you can adapt UnSpot to whatever your ACS sends:
| Setting | Meaning | Default key |
|---|---|---|
| Office attribute | JSON key holding the office/space name | space |
| User attribute | JSON key holding the user identifier | user |
| Status attribute | JSON key holding the direction (in/out) | status |
| Desk attribute | Optional key holding a desk name | — |
| Access token | Optional shared secret; if set, must be sent in the Un-Token header | — |
After saving, UnSpot generates a unique endpoint token — your ACS will POST events to the URL containing it.
2. Send events — POST /api/scud/json/{token}
curl -X POST -H "Content-Type: application/json" -H "Un-Token: <access token>" \
https://acme.unspot.com/api/scud/json/3f2a...-connection-token \
-d '{
"space": "HQ Berlin",
"user": "jane.doe@example.com",
"status": "in_office"
}'- User identification: if the user value is an email, the user is matched by email; otherwise UnSpot tries the pass number, then the full name. Ambiguous pass numbers are rejected.
- Status: the value must resolve to “in office” or “out of office”. The event time is the moment UnSpot receives the request.
- Events are processed asynchronously; each event (including errors) is recorded in the integration log (Reports > Integration history).
3. What UnSpot does with an event
- Marks the user as present in / absent from the office.
- Confirms check-in for the user’s bookings when check-in policies require office presence.
- Feeds office-attendance analytics and reports.
Sigur variant
For Sigur, create a connection of type Sigur and point Sigur’s notification URL to POST /api/scud/sigur/{token}. Differences from the JSON variant: the body is form-encoded (as sent by Sigur), no Un-Token header is used, and the direction values вход / выход are converted automatically. Sigur delegation and mobile-ID have dedicated endpoints configured from the Sigur integration page.
Errors
Integration not found— wrong endpoint token.Access to subscription denied— theUn-Tokenheader does not match the configured access token.Subscription deactivated— the connection is disabled in UnSpot.User not found/Multiple users found by pass number— the user identifier could not be resolved unambiguously.- Missing office/user/status keys — the event is rejected and logged.
For a hands-on example of the JSON variant, see Incoming Webhooks: Connecting ACS via JSON.