Locker Open#

Download: Android | iOS

Note: Android users will still have to download the Locker Open app

How to use locker open. Our lightweight app clip#

Be sure to have a link provided by lockeropen.com before you try to use the Locker open app. Instructions for developers on how to create these links are on the bottom of this page. At the moment Locker Open only supports a single open transaction

HarborHarry

Locker Open is an App clip that is our easiest way to open a locker. Simply tap a link:

app-clip
And hit Open app clip to use Locker Open and pop the locker open!
You can also follow the link at the bottom to the app store to download the full Locker Open app.
locker-open

Using the App Clip#

Grant permissions to the app#

This step is needed for dropoff or pickup, it only needs to be done once.
Grant-permissions

Connecting to the tower#

Stay within 10 feet (2m) of the locker while the app is trying to connect.

Location/Tower/Locker example

Drop off#

The locker should open now ready for your drop off

locker drop off

Locker has opened#

The locker should open now ready for your drop off, put your item in and be sure to close the locker. Now your dropoff is complete!

Picking up#

Use the link that was provided to you
locker drop off
Be sure to close the locker door
locker drop off

Harbor Webhooks#

Webhooks allow Harbor to notify your server when important events occur in real time.

To configure webhooks correctly, your system must provide a publicly accessible HTTPS endpoint where you wish to receive these notifications. Once our team registers the endpoint, you will begin receiving webhook events automatically.

Below is an example of how Harbor webhook events are structured.

Locker Open Request for Dropoff#

  1. Our service provider will generate a Locker Open Request for dropoff.

harbor dropoff api

This will send a notification to the configured webhook of the service provider with information in this format:

{
  "timestamp": "2025-04-01T13:02:37",
  "event": "LOCKER_ASSIGNED",
  "data": {
    "timestamp": "2025-04-01T16:02:36.884285+00:00",
    "locker_id": 9,
    "locker_status": "rented",
    "tower_id": "0000000000000001",
    "source": "LOCKER_OPEN_LINK_CREATED",
    "reservation_id": null,
    "open_locker_token_id": null,
    "keypad_code": null,
    "client_info": null,
    "locker_open_request_id": 56,
    "locker_open_request_payload": {
      "extra": "data",
      "test": 123
    }
  }
}
  1. Similarly, when the end user uses the link to perform the dropoff, another notification of the same type will be sent to the configured webhook:

  • One when the token to open the locker is created:

{
  "timestamp": "2025-04-01T13:12:57",
  "event": "LOCKER_OPERATION",
  "data": {
    "timestamp": "2025-04-01T16:12:57.521044+00:00",
    "locker_id": 9,
    "locker_status": "rented",
    "tower_id": "0000000000000001",
    "source": "LOCKER_TOKEN_CREATED",
    "reservation_id": null,
    "open_locker_token_id": 52,
    "keypad_code": null,
    "client_info": "Luis",
    "locker_open_request_id": null,
    "locker_open_request_payload": null
  }
}
  • Another when the token is finally used:

{
  "timestamp": "2025-04-01T13:15:47",
  "event": "LOCKER_OPERATION",
  "data": {
    "timestamp": "2025-04-01T16:15:45+00:00",
    "locker_id": 9,
    "locker_status": "occupied",
    "tower_id": "0000000000000001",
    "source": "LOCKER_TOKEN_USED",
    "reservation_id": null,
    "open_locker_token_id": 52,
    "keypad_code": null,
    "client_info": "Luis",
    "locker_open_request_id": 56,
    "locker_open_request_payload": {
      "extra": "data",
      "test": 123
    }
  }
}

Pickup Process#

The same process will be repeated during the pickup process, The last event will be a LOCKER_UNASSIGNED type, cause after the pickup happens the locker is not assigned to your company anymore.

Verifying Webhook Signature (Optional)#

Harbor and your system can share a secret used to verify the signatures of incoming webhook requests. This step is optional but recommended as an additional security measure.

To verify the signature, follow the steps below:

  1. Extract the signature from the headers

    The webhook request will include a header named x-harbor-signature. Its value has the following format:

    t=1746022058,v1=c0aec4...,v2=...

    • t is the Unix timestamp.

    • v1, v2, etc., are versioned signatures.

    Extract the all the signature values for verification.

  2. Generate your own signature using the shared secret

    Use an HMAC function (available in most standard libraries) to compute a signature using the following inputs:

    • The shared secret between Harbor and your system.

    • Request Payload. payload should be a concatenated string of the timestamp and the request payload delimited by, removing and space character. It should look like: {timestamp},{payload}

    • Encoding method: hex.

  3. Compare signatures

    Compare your computed signature to the ones provided in the x-harbor-signature header. The computed signature must match at least one of the provided signatures (e.g., v1) for the verification to pass.

Validator functions example
import re
import hmac
import hashlib

def is_signature_valid(
    x_harbor_signature: str, payload: str, shared_secret: str
) -> bool:
    """Determines if harbor signature is valid or not"""

    matches = dict(re.findall(r"(\w+)=([^,]+)", header))

    timestamp = matches.get("t")
    signatures = [v for k, v in matches.items() if k.startswith("v")]

    compact_payload = payload.replace(" ", "")
    signed_content = f"{timestamp},{compact_payload}"

    generated_signature = hmac.new(
        shared_secret.encode("utf-8"),
        signed_content.encode("utf-8"),
        hashlib.sha256,
    ).hexdigest()
    return generated_signature in signatures