Menu
Dev.to #systemdesign·July 15, 2026

Designing Offline-Tolerant QR Check-in Systems

This article explores the system design considerations for building a robust event check-in system that functions reliably even with unstable or absent network connectivity. It focuses on solving tamper resistance, double-scan prevention, and offline tolerance by strategically embedding signed data in QR codes and employing various synchronization patterns for local and central state management. The key is balancing immediate verification with eventual consistency.

Read original on Dev.to #systemdesign

The Challenge of Unreliable Connectivity at Scale

Event check-in systems often face a critical failure point: venue Wi-Fi becomes overwhelmed when large crowds arrive. A simple centralized validation model, where every QR scan requires a server round-trip, quickly breaks down. A robust system must address three core concerns simultaneously to ensure smooth operations: tamper resistance, double-scan prevention, and offline tolerance.

Tamper Resistance with Signed QR Payloads

To enable offline validation of ticket authenticity, the QR code payload should include enough signed data for local verification. Instead of just a ticket ID, the QR should embed details like `ticket ID`, `event ID`, `issue/expiry timestamps`, and a digital `signature` (`sig`). The issuing system signs this payload with a private key, and scanning devices verify it using a corresponding public key. This allows the scanner to confirm the ticket's genuine origin without any network calls.

json
{ "tid": "EVT-20260810-A4F2", "eid": "boni-event-7291", "issued_at": 1754918400, "expires_at": 1754962800, "holder_name": "REDACTED AT PRINT", "category": "general-admission", "sig": "<base64-hmac-or-ecdsa-signature>" }

Double-Scan Prevention and Offline Sync Strategies

Preventing double-scans (passback) requires shared state about which tickets have been used. In an offline-first environment, this cannot solely rely on a central server. Two main patterns emerge:

  1. Online-first with graceful degradation: Scanners attempt a server call. If successful, the server's response is authoritative. If it times out, the device falls back to local signature validation and queues the scan for later sync. This introduces a small window for passback during outages but keeps queues moving.
  2. Pre-loaded ticket set with local state: Devices download the full set of valid ticket IDs before the event. Scans are validated and recorded locally, then synced to the server when connectivity is available. This closes the passback window even offline, but requires careful management of local data and revocation propagation.

For multi-gate events, achieving eventual consistency across devices requires frequent sync intervals or even mesh-sync approaches where devices directly replicate state over local networks during internet outages to minimize the passback window.

💡

Practical Offline-Tolerance

Offline tolerance is a spectrum. At minimum, a device should authenticate tickets via signature and durably store scan records locally. A stronger posture involves pre-loading valid ticket sets for immediate rejection of invalid or used tickets. Crucially, operators must ensure devices perform a sync check right before gates open to work with the most current state, especially for multi-day events or those with dynamic ticket status (e.g., refunds).

offline-firsteventual consistencyQR codesdigital signaturedistributed stategraceful degradationticketing systemsmobile development

Comments

Loading comments...