One step ahead with these plugins

Youtube
Account
Vollstart Logo

How to Set Up Team Access for Event Entrance Staff in WordPress

Managing a large event means coordinating multiple staff members at the entrance — but giving everyone a WordPress admin login is a security nightmare. Learn how to set up secure, role-based scanner access for your team using authentication tokens.

The Problem With Sharing WordPress Logins With Event Staff

You have three entrances at your venue. Each entrance needs at least one person with a smartphone to scan tickets. The obvious solution seems to be: create WordPress accounts for everyone and let them log in to the ticket scanner.

In practice, this creates serious problems. Admin or editor access means your staff can accidentally change settings, view customer data, or — in a worst case scenario — create security vulnerabilities if a device gets lost or a temporary worker turns out to be untrustworthy. Even creating minimal WordPress accounts for every part-time door person is administrative overhead you do not need the night before your event.

The better solution is authentication tokens: a URL-based access mechanism that gives staff exactly the access they need — and nothing more.

What Are Authentication Tokens?

An authentication token is a unique, hard-to-guess string that grants access to a specific function in your system. Instead of logging in with a username and password, your staff member opens a URL that contains the token. If the token is valid, they get access to the ticket scanner interface — and nothing else.

This approach has several advantages over traditional WordPress accounts:

  • No WordPress credentials required — your staff does not need to know anything about your WordPress installation
  • Revocable at any time — if a staff member leaves early or a device is lost, you can invalidate the token immediately
  • Time-limited — tokens can be set to expire after your event ends automatically
  • Shareable via any channel — send the URL via WhatsApp, SMS, or email; staff just tap the link and they are ready to scan

How to Create Auth Tokens for Your Entrance Team

With the Event Tickets with Ticket Scanner plugin, generating access tokens for your team takes under two minutes. Here is how the workflow looks in practice:

Step 1: Navigate to the Auth Tokens Section

In your WordPress admin panel, go to the Event Tickets menu and find the Auth Tokens section. This is where you manage all scanner access credentials for your team.

Step 2: Create a New Token

Click “Add New Token” and fill in the relevant details:

  • Label — give it a recognizable name like “Main Entrance – Sarah” so you know which token belongs to which staff member
  • Expiry Date — set this to the day after your event so the token automatically becomes invalid
  • Scope — choose which events or ticket lists this token is allowed to scan

Step 3: Share the Scanner URL

Once created, the plugin generates a unique URL. This URL contains the auth token embedded directly. Anyone who opens this URL on their smartphone gets immediate access to the scanner interface — no login prompt, no WordPress dashboard, just the scanner.

Copy the URL and share it with your staff member via any messaging app. They bookmark it on their phone and they are ready to go.

Step 4: Manage Access During the Event

From the admin panel, you can see a list of all active tokens and monitor usage. If you need to revoke access — for example, if a staff member finishes their shift — you can deactivate the token with one click. The next time that URL is opened, it will return an access denied message.

Setting Up Entrance Zones With Multiple Tokens

For events with multiple entrance points, best practice is to create a separate token for each zone. This gives you granular control and better accountability:

  • Main Entrance Token — for general admission scanning
  • VIP Entrance Token — optionally restricted to VIP ticket types only
  • Staff Entrance Token — for crew check-in if you use tickets for that as well

Having separate tokens also helps with post-event analysis. If something goes wrong — a ticket was incorrectly marked as redeemed, for example — you can trace which token was used and at what time.

What the Scanner Interface Looks Like for Staff

Your entrance staff does not need any training on WordPress. When they open their access URL, they see a clean, mobile-optimized scanner interface. The camera activates automatically and they point it at the QR code on a ticket. Within one second they get a clear visual and audio confirmation: green for valid, red for invalid or already used.

The interface also supports manual code entry for cases where a QR code cannot be scanned — for example, if a ticket has been printed on low-quality paper and the code is hard to read. Staff can type the ticket code directly.

Security Considerations for Token-Based Access

Token-based access is more secure than shared passwords in most scenarios, but there are a few practices worth following:

  • Do not post tokens in public channels — share them in direct messages, not in public Slack channels or group chats
  • Set expiry dates — always configure an expiry date so old tokens cannot be used after the event
  • Regenerate tokens for repeat staff — for recurring events, generate fresh tokens each time rather than reusing old ones
  • Review active tokens regularly — before your event, check that only the tokens you intended to create are active

How This Compares to WordPress User Roles

WordPress does offer a “Subscriber” role which has minimal permissions, and some plugins allow custom roles. However, even a subscriber account gives someone a login to your WordPress installation. They appear in your user list, they can reset their password, and managing them after the event requires you to delete accounts manually.

Auth tokens require no user account whatsoever. They exist independently of the WordPress user system, they expire automatically, and there is nothing to clean up after your event.

Summary: Checklist for Setting Up Team Access

  1. Create one auth token per entrance zone or staff member
  2. Set descriptive labels so you know who has what
  3. Configure expiry dates for automatic post-event revocation
  4. Share URLs via direct message, not public channels
  5. Test each token on a real device before the event day
  6. Monitor token usage from the admin panel during the event

Managing entrance staff access does not have to mean managing WordPress user accounts. With auth tokens, you can have ten people scanning tickets at five different entrances, all without a single WordPress login being shared.

The Event Tickets with Ticket Scanner plugin is available on WordPress.org. The authentication token feature for team access is part of the premium version.

Login
My Account