WavePass turns a single UDM Pro into a multi-tenant WiFi platform: per-vendor private passwords for POS terminals, voucher-gated guest WiFi for customers, branded captive portals — all from one admin panel.
Most venues hit the same wall when they grow past one network: the POS terminals need a password they can hold onto, and the public needs accountable, time-bound access. WavePass solves both, on top of UniFi.
WavePass is a self-hosted multi-tenant access control layer for UniFi networks. It lets a single UDM (Pro / SE / standard) host two simultaneous worlds — a vendor side with per-tenant private PSKs that route to a segmented VLAN, and a customer side with branded captive-portal voucher access — all administered from one web UI, with email delivery, redemption tracking, and printable QR sheets baked in.
WavePass is a Node.js service that talks to your UDM over HTTPS. It uses UniFi's existing voucher and Private PSK features — no firmware changes, no new APs, nothing to install on the network gear.
WavePass authenticates as a local admin on your UDM, then drives the existing Network controller API. Vouchers, private PSKs, captive-portal config — all native UniFi features.
Add a vendor. WavePass auto-generates a private PSK and registers it on the Vendors SSID, routed onto your vendor VLAN. Issue a voucher. WavePass mints it via UniFi and emails it to the vendor.
POS terminals join the Vendor SSID with their private password — they never see a captive portal. Customers connect to the open guest SSID, hit the branded portal, type the voucher code. WavePass polls the UDM and shows you who's redeemed what.
Each tenant gets their own password on the same SSID. POS terminals, kiosks, vendor laptops — once-and-forget setup. Revoke a vendor and only their devices drop off.
Open SSID + captive portal + UniFi-native vouchers. Time-boxed, quota-capped, single- or multi-device. Customers walk up, type the code, online.
Vendors are auto-emailed their POS password and PIN on creation. Customer vouchers can be emailed direct to vendors with QR + redemption URL inline.
Background poller reconciles UniFi state into a local dashboard every 60 seconds. See which vouchers have been used, by which vendor, and when.
Per-deployment branding — colours, logos, welcome copy, success page — pushed straight to UniFi's portal config. The first impression matches the venue.
Bulk-issue vouchers and download printable PDF sheets to hand out at the gate or stick to a vendor pitch sign. Each QR resolves to its own redemption page.
Vendor traffic on its own VLAN. Customer traffic on its own. Local admin accounts only (cloud SSO is incompatible with the voucher API). Bcrypt PINs, HMAC sessions, HTTPS everywhere.
Runs on any small VPS. Talks to your UDM over HTTPS — direct on LAN, or through a WireGuard tunnel for cloud-hosted deployments. No firmware mods, no extra APs.
If you've ever taped a printed WiFi password to a vendor's pitch, or tried to revoke access for one stallholder mid-event, WavePass is the right shape for the problem.
UDM Pro / UDM SE / UDM standard, UniFi Network 8.x and 9.x. Uses the documented Hotspot voucher API and Private PSK feature. No firmware changes.
WavePass is reachable from the UDM either on-LAN or via a WireGuard tunnel. CGNAT'd venues are fine — outbound WG from the UDM to a hub VPS is the supported path.
Single local admin account on the UDM (cloud SSO breaks the voucher API). Admin and vendor roles in WavePass with bcrypt PIN auth. Surface-token integration available for kiosk display use.
~2k LOC of Node.js / Express / SQLite. Runs in under 30MB RAM. Direct deployment via PM2 or Docker. Self-hosted; you own the data.
Currently deployed for the Shane's Castle Steam Rally (3–4 May 2026). Adding new venues now. Drop a line and we'll spec it for your network in 24 hours.