ESTË Live User Manual › 15. Access Control

15. Access Control

Access control allows the engineer to approve or deny new device connections before they can access the mixer. When enabled, musicians and stage devices must be approved manually before they see any mixer data.

15.1 Enabling Access Control

  1. Open SettingsAccess Control
  2. Check Require approval for new devices
  3. Choose a Token duration (how long approved devices stay valid):
    • 1 hour — short rehearsal
    • 4 hours — extended session
    • 8 hours — full soundcheck + show (default)
    • 24 hours — multi-day event
  4. Click Apply

15.2 Connection Flow

When access control is enabled:

  1. Musician scans QR code from the engineer view → opens the musician URL on their phone
  2. Phone shows "Waiting for engineer approval..." with the ESTË Live logo and spinner
  3. Engineer sees an amber notification — the status dot in the header pulses amber and shows the number of pending requests
  4. Engineer clicks the status to open the ConnectionDropdown → sees pending requests with device scope and bus name
  5. Engineer approves or rejects each request (or uses "Approve All" for multiple simultaneous requests)
  6. Approved — musician receives a token, stored in localStorage, and sees the mixer immediately
  7. Rejected — musician sees "Connection denied" with a "Try again" button

15.3 Automatic Reconnection

Approved devices receive an HMAC-SHA256 token stored in the browser's localStorage. On page reload, sleep/wake, or WiFi reconnection, the token is sent automatically — no re-approval needed until the token expires.

If the server restarts or the network drops, the musician/stage views automatically reconnect in the background. A "Reconnecting..." banner appears while the mix remains visible, so the musician never loses context. On mobile, reconnection is triggered immediately when the screen is unlocked or the browser tab is brought back to the foreground.

15.4 Token Expiry

When a token expires:

  • The musician is shown "Waiting for engineer approval..." again
  • The engineer receives a new approval request
  • A new token is issued upon approval

15.5 Localhost Bypass

The Tauri desktop app (engineer view) connects from localhost and is always authenticated automatically — no approval required. This only applies to connections from 127.0.0.1 or ::1.

15.6 Pending Request Timeout

If the engineer does not respond to an approval request within 5 minutes, the request is automatically denied. The musician sees "Connection denied" and can retry.