Updated: 22 July 2024 for V197 | Release Notes - June 2024

There are several ways to increase security around e-tickets. These options are mainly used to discourage the (illegal/unwanted) reselling or sharing of tickets to other people.

As with all security measures, this will bring more complexity to the user experience, so use these features wisely and only when there is a high risk of ticket sharing/reselling.

The options as described below only work when you are using the Peppered confirmation email and Peppered e-tickets.

Secure tickets have a barcode that will show only xx minutes before the event. This makes it harder to share these barcodes with other people in advance.

The working principle is that all Peppered e-tickets have an “available from” field. The date in that field causes a barcode to be shown or hidden. If the date is in the future, the e-ticket will hide the barcode and communicatie the date in a message (”barcode will be available from xx-xx-xx”)

When displaying a Peppered e-ticket, the “available from” field is leading.

The way this “available from” date is set differs per ticketing system:

For Ovatic and Itix, this date is passed on from the ticketing system. Both systems have a setting per event to activate secure tickets (in Ovatic called “just-in-time” tickets) and to fill in the time before the start of the event that the barcode should be active. This date is automatically transferred to each ticket in Peppered.

For other ticketing systems, barcodes are always visible by default. You can, however, activate secure tickets in Peppered by checking the box “secure tickets” at the event in the Peppered Dashboard. This does two things:

You can configure the “Secure e-tickets availability (minutes)” field in the e-tickets part of the Control Panel. This is a central setting that will be used for all e-tickets for all events that have the option "secure tickets" switched on.

As of V198 | Release Notes - July 2024 secure tickets will only show the name and customer number. These tickets require the visitor to login into their account, so personal data on those secure tickets is safely stored behind the login.

All tickets can be placed behind an SMS wall. This means that you need to fill in a special code before you can access your e-ticket.

This code will be send by SMS to the number you entered during the order process.

For this wall to work, we need three things:

The phone number for the SMS verification does not have to be the phone number as stored in the account, although if there is a phone number in the account, it will show as a placeholder in the last order step. You can, however, change this number into any number you like. The phone number will be stored with the order, so when you change your phone number in your account, it will not change the phone number as stored with the order. That number cannot be changed due to security reasons.

Before viewing the e-tickets, you can request a code. The SMS with the code is sent directly to the phone number upon loading the page. After filling in the code on the website, the e-tickets are unlocked.

This can be used in combination with a forced log-in and the "available from" time setting (see "secure tickets" above).

Template texts for the SMS flow:

FE3_order_sms_verification_intro: Intro text for the SMS verification step in the order process.

FE3_order_sms_verification_edit Label for the phone number edit link in the SMS verification step in the order process.

FE3_order_sms_verification_save Label for the save button in the SMS verification step in the order process.

FE3_sms_verification_intro Intro text for SMS verification

FE3_sms_verification_button Label for SMS verification button.

FE3_sms_verification_resend Label for SMS verification resend button

FE3_sms_verification_error_expired Error message for expired SMS verification code.

FE3_sms_verification_error_invalid_code Error message for invalid SMS verification code.

FE3_sms_verification_error_generic Error message for generic SMS verification error.

Dynamic barcodes refresh every 20 seconds. Old codes are invalid, so you need to have the barcode live on your screen at the door.

Peppered creates a new barcode every 20 seconds, and securely embeds the current time in the barcode string, together with some other information like the “integrator secret” and an “Identifier”.

Ovatic scanners read the barcode, compare the embedded time with current time, and if current time is same or at max 20 sec later, and the secret and identifier are valid, the barcode will be valid.

This can be used in combination with a forced log-in (see "secure tickets" above)

This can be used in combination with the SMS verification

If you want to avoid visitors changing their e-mail address so they cannot "sell" their website account (including e-tickets) to somebody else, just go to your "visitor account fields" module and set the e-mail field to "read only".

First, sign-up for Messagebird at https://messagebird.com/

You need to use the "Verify API" from their start page:

You will be prompted to arrange for the necessary financial means before you can start sending SMS messages.

When you took care of that, you should have access to the API keys for test and live environment via the "Developer Dashboard":

Copy this API key into your Dashboard in the "API connections" module. There should already be a "Messagebird" entry in there, which is empty.

Use the Test API key during test, and change to the live Key when ready.

Related pages

Template texts