Lock Workspace
Lock Workspace is an admin action that invalidates every active session on the MZAP server. After locking, every user — including the admin who triggered the lock — has to log in again on their next request.
This is not a kiosk mode or a PIN-protected screen saver. It’s a global session kill switch, intended for moments when you want a clean authentication boundary: shift changeovers, after a terminated employee’s last day, after distributing a new set of credentials, or any time you’ve lost track of who is still signed in.
Locking
Section titled “Locking”- Open the File menu in the top bar (admin only).
- Click Lock Workspace.
- Confirm the prompt.
Every browser immediately drops back to the login dialog on its next request. API calls and Server-Sent Events using the old session tokens return 401 Unauthorized.
There is no “unlock” action — locking simply invalidates sessions. Users unlock themselves by signing in again with their username and password.
What lock affects
Section titled “What lock affects”| Thing | Affected by lock? |
|---|---|
| Active session tokens | invalidated |
| Web UI sessions in all browsers | forced to re-login |
| API keys | not affected; scripts keep working |
| User accounts, roles, assignments | unchanged |
| Workspace contents (players, zones, routing) | unchanged |
| Running audio playback | unchanged |
Locking is purely an authentication operation. Audio keeps playing, playlists keep advancing, and the scheduler keeps firing. Only the interactive side of MZAP stops until users authenticate again.
API-key-based integrations are deliberately not affected — you usually want your home-automation or monitoring script to keep working after a human shift change. If you need to revoke an integration’s access too, regenerate or delete its API key on the Users tab.
When lock is unavailable
Section titled “When lock is unavailable”- Authentication is disabled globally. Without auth there are no sessions to invalidate, so the menu item is hidden.
- You are not signed in as an Admin. Only admins can lock the workspace.
API equivalent
Section titled “API equivalent”POST /api/auth/lockAuthorization: Bearer <admin-token>Returns 200 OK on success. Returns 403 Forbidden for non-admin callers and 200 OK as a no-op when authentication is disabled. The admin’s own session token is invalidated too — expect subsequent calls with the same token to return 401.
- Lock at the end of each shift if you leave the MZAP window open on a shared workstation.
- Lock after changing a staff member’s role or assignments to guarantee their next action runs with the new permissions.
- Lock after revoking a user — deleting the account invalidates that user’s sessions, but if you’ve also changed shared admin credentials, a full lock makes the handover clean.