> ## Documentation Index
> Fetch the complete documentation index at: https://docs.time2.bike/llms.txt
> Use this file to discover all available pages before exploring further.

# Tokens & QR codes

> Hand a volunteer a phone without giving them org access.

A **timing session token** is a scoped, revocable credential a director generates for a single session. Volunteers redeem it by scanning a QR code or opening a `time2.bike/timing/join?token=…` link. No password, no rider account required.

<img src="https://mintcdn.com/time2bike/gd86sIECJkXq3-wr/images/timing/qr-invite.png?fit=max&auto=format&n=gd86sIECJkXq3-wr&q=85&s=b30bd8a0bbe2146669fe37b194b8ff9d" alt="Token QR" width="1370" height="1306" data-path="images/timing/qr-invite.png" />

## Issue a token

1. Open the session as an admin.
2. Click **Tokens** in the toolbar.
3. Click **Issue new token** and fill in:
   * **Label** — for your own reference ("Finish line phone #1").
   * **Roles** — any combination of `view`, `timer`, `marshal`, `admin`, `refund` (see [Roles](/timing/concepts/roles)).
   * **Expires in** — number of hours from now.
   * **Allowed races** — optionally restrict the token to specific races within the session.
4. Click **Create**.

You see the raw token and the QR code **once**. Copy / screenshot / print before closing the dialog — the raw value is never shown again.

## Volunteer experience

The volunteer opens the QR code on their phone. They land on `/timing/join?token=tt_[hex]`, see a confirmation card with org / event / session / role / expiry, and tap **Continue**.

The token is stored in the browser's `localStorage`; subsequent visits to the operator screen are automatic.

<img src="https://mintcdn.com/time2bike/gd86sIECJkXq3-wr/images/timing/join-op.png?fit=max&auto=format&n=gd86sIECJkXq3-wr&q=85&s=202555a88e56ffff05d6db76fd672fd1" alt="Join page" width="1088" height="1082" data-path="images/timing/join-op.png" />

## Revoke

In the token list, click **Revoke** on any active token. The next API call from that token returns "session not found". Re-issue if needed.

## What tokens can't do

Scoped tokens cannot:

* Create new sessions (admin org members only).
* Delete a session.
* Issue more tokens (unless the token has `admin` role).
* Touch other events in the org.

The system enforces this on every API call by URL-prefix matching the token's scope.
