Kiosk
The Kiosk settings page (Settings > Kiosk) lists the per-location kiosk URLs your team can open on a shared device to clock employees in and out. For the employee-facing experience — clocking in, starting a break, offline sync — see Kiosk Mode.
This article covers what an admin needs to know to get a kiosk running at a location.
How kiosks authenticate
Vuoro's kiosk flow is intentionally lightweight. There is no device registration, no per-device token, and no credential rotation: any browser that can reach your Vuoro instance at the correct URL becomes a kiosk for that location, and employees identify themselves at the device with a 4-digit PIN.
| Concern | How it is handled |
|---|---|
| Trust in the device | Physical security of the kiosk (locked room, wall-mounted tablet) + HTTPS. |
| Employee identity | 4-digit PIN stored per-employee as an Argon2 hash. |
| Brute-force protection | After 5 failed PIN attempts, that employee is locked out for 15 minutes (tracked in Redis). |
| Location scoping | Enforced by the URL: each location has its own kiosk URL, and clock events are attached to that location. |
This is a conscious trade-off — kiosk devices are usually in a staff-only area, and the PIN + lockout limits the blast radius of a walk-up attacker.
Setting up a kiosk at a location
- Open Settings > Kiosk. You see a list of every active location.
- For the location you want to kiosk-enable, click Copy URL (or Open to test in a new tab).
- On the kiosk device, open the URL in a full-screen browser. A dedicated tablet in guided-access / kiosk mode is the typical setup.
- Verify one employee can clock in and clock out with their PIN.
The page does not create devices, register identifiers, or store anything about the kiosk hardware — the URL itself is the entire configuration.
Assigning and resetting PINs
PIN management lives on each employee's detail page (Employees → <employee>), in the Kiosk PIN section. Supervisors and above can see it.
- Set PIN — when an employee has no PIN yet. The server generates a non-trivial 4-digit PIN and shows it once in a dialog with a Copy button.
- Regenerate PIN — when an employee already has one. Issues a fresh PIN and shows it once, invalidating the previous PIN immediately. Use this if a PIN is forgotten, shared, or leaked.
- Remove PIN — clears the PIN entirely; the employee can no longer clock in at a kiosk until a new one is set.
The plaintext PIN is shown exactly once at the moment of creation. It is stored Argon2-hashed and is not retrievable afterward — that's the security trade-off. If a PIN is lost, regenerate it.
Bulk PIN assignment for first-time rollouts
When you're standing up kiosks for the first time with many employees who lack a PIN, your platform administrator can run a one-shot backfill that assigns a PIN to every active employee who doesn't have one and exports the plaintext PINs to a CSV for distribution. Re-running is idempotent — employees with an existing PIN are left untouched. Reach out to whoever administers your Vuoro instance if you need this.
See also
- Kiosk Mode — what employees see and do at the kiosk.
- Clock Events — how kiosk clock-ins are processed, including offline sync and rounding.