The TTLock
Platform Guide

Most Australian buyers first encounter TTLock through a brand name — McGrath, Lockton, or Austyle. These are the hardware brands. TTLock is the platform behind all of them: the software, the cloud, and the access management system that makes the hardware work.

Understanding the platform, not just the lock, helps you make a better purchase decision and avoid the most common setup mistakes. This chapter explains what TTLock is, how its access system works, and where it fits best — and where it doesn't. If you are already using a TTLock-platform lock and want operational tips, the TTLock tips, tricks, and hidden features guide covers the practical side. For the Airbnb automation workflow, see using TTLock for Airbnb in Australia. The complete official source — the TTLock User Manual PDF — is also available, alongside an app overview video and the McGrath Locks App how-to video presented by an Australian expert.

TTLock is a cloud-based smart lock management platform developed and operated by Sciener, a company based in Beijing, China. Sciener does not manufacture the lock hardware themselves — they build and maintain the platform that hardware brands license and build upon. In Australia, the brands running on TTLock include McGrath, Lockton, and Austyle, plus the Vault range. There are dozens of other TTLock-compatible hardware brands sold globally, making it one of the two dominant smart lock platforms on the world market alongside Tuya.

The platform works in two stages. The first is a direct Bluetooth connection between the lock and your phone via the TTLock app. Within Bluetooth range, you can lock and unlock, manage credentials, and view activity logs. The second stage adds a gateway — a small device that bridges the lock to your home WiFi network. With a gateway, you gain full remote management from anywhere in the world.

The McGrath Locks app is an Australian-branded version of the TTLock app. Same platform, same Sciener backend, same feature set — with Australian-facing branding and support. Australian McGrath customers can use either the TTLock app or the McGrath Locks app interchangeably. The decision to use McGrath's branded app reflects the distribution and support relationship with LSC, not a separate technical platform. Australian users may find the McGrath Locks App how-to video the most practical starting point — it covers the same platform with local context.

Data sovereignty — where your information goes

All lock event data and remote commands transit Sciener's servers, which are hosted in China. Local Bluetooth access and passcode entry at the keypad operate entirely without any cloud connection — nothing leaves your property. Only when a gateway is connected do event logs and remote commands use the Sciener cloud. For operators with data sensitivity requirements (NDIS providers, body corporates, commercial property managers), this is worth factoring into platform selection. A full security and data sovereignty analysis is in the Security Considerations section below, and in our cross-platform comparison in Chapter 15 — Security & Data Sovereignty.

Some locks in the broader GCSL range run on entirely separate platforms. Hafele digital locks use the Hafele app or proprietary firmware. Dormakaba products use their own platforms. Carbine's Bluetooth CEL2-BT models use the Carbine Connect app — a Bluetooth-only, no-cloud platform with a fundamentally different architecture. These are not TTLock-compatible and are not covered in this chapter. For a full platform comparison, see Chapter 15 — Smart Lock App Platforms Guide.

TTLock is an open platform. Hundreds of hardware brands globally manufacture TTLock-compatible locks covering a wide range of form factors: door locks, padlocks, safe locks, cabinet locks, bicycle locks, cylinders, and parking bollards. In Australia, Gold Coast Smart Locks carries three TTLock-compatible brands:

• McGrath — the broadest range in the Australian TTLock market, covering lever sets, mortice locks, aluminium-door formats, fire-rated options, and DDA-compliant models. See the McGrath brand profile in Chapter 10 for the full range overview.
• Lockton — a complementary range with its own product design, also running on TTLock with the same app and gateway compatibility.
• Austyle — a further range with TTLock compatibility, offering additional format options.

What this breadth means practically: whatever door type you have — timber, aluminium, sliding, narrow stile, fire-rated — there is likely a TTLock-compatible product that fits. For help matching a product to your specific door, see the nine-door-type compatibility matrix in Chapter 04.

TTLock offers six distinct passcode types — more scheduling granularity than any competing platform in the Australian market. Understanding what each type does and what its constraints are is one of the most practically useful things to know before you start using the platform. See Chapter 03 — Access Methods for the broader context of PIN-based access in smart locks.

The 24-hour activation rule — the most important thing to know

Permanent, Time-Limited, and Cyclic passcodes must each be used at least once within 24 hours of generation (or within 24 hours of the validity start date). If no one enters the code at the keypad within that window, it auto-expires permanently with no warning in the app. This is the most common cause of "my code doesn't work" problems. Always generate and immediately test any new passcode before sharing it. For a full explanation with real-world scenarios, see the 24-hour activation rule section of our TTLock tips guide.

The Erase code — never share it

The Erase code deletes every passcode on the lock in a single keypad entry. It looks identical to any other code in the app. Generating one and sharing it with a guest or cleaner — even innocently — risks wiping all credentials from the lock the moment it is entered. See the Erase code explanation for the full danger scenario and safe use procedure.

An eKey is a digital access invitation sent from one TTLock account to another. The recipient receives access to the lock via their own TTLock account without ever seeing your passcode or having administrative control. eKeys can be revoked at any time.

There are four eKey types: Permanent (unlimited until revoked), Timed (valid between two timestamps), One-Time (auto-deletes after first use), and Cyclic (repeats on a schedule). The scheduling flexibility mirrors the passcode types.

The app provides a deadline warning system: the key indicator turns yellow as expiry approaches and red once it has passed. This gives administrators a visual overview of which access grants are nearing expiry across a property or portfolio.

Note on email invite packs

Sciener introduced a paid model for eKey invitations sent by email. Sharing an eKey with an existing TTLock account holder by username is free. Sending an eKey to a recipient by email address incurs a small per-invite cost above a free monthly allocation. Sharing passcodes via SMS or another messaging channel remains a free alternative.

For property handovers, eKey management requires attention. Once a lock is paired to an account, it cannot be transferred to a new account until the current administrator deletes it via Bluetooth while physically at the lock. See our lock transfer guide for the procedure and common pitfalls. Note also that deleted eKeys may persist on the lock hardware itself — this is addressed in the Security Considerations section below.

A TTLock-platform lock works without a gateway. Passcodes work, IC cards work, fingerprints work, and Bluetooth access from the app works — all locally, without any WiFi or internet connection. For an explanation of what a gateway actually does and when you genuinely need one, see Chapter 08 — What a Gateway Does. Many residential installs run in Bluetooth-only mode without issues. The table below summarises exactly what changes when a gateway is added.

For Airbnb and short-stay rental operators, a gateway is effectively required — remote passcode creation and real-time notifications are not optional at that operational scale. For context on what happens to your lock when the internet goes down, see Chapter 08 — What Happens When the Internet Goes Down. Local access methods remain completely unaffected.

Four gateway models are available for TTLock-platform locks in Australia. The right choice depends on your network environment and the number of locks you are managing. For full technical specifications and a detailed comparison including the Yale Connect Hub and Igloohome Bridge, see Chapter 08 — Smart Lock Gateway Comparison.

The band-steering problem — why it matters in Australia

Most Australian NBN-era routers broadcast a single WiFi SSID across 2.4 GHz and 5 GHz and steer devices between them. The G2 can only connect to 2.4 GHz. When the router steers the G2 to 5 GHz, the gateway drops offline silently and intermittently. For the full explanation and fix options, see Chapter 08 — The Band-Steering Problem and our blog on why smart locks drop off WiFi · FAQ: why does my lock keep dropping off WiFi? →. For any new install, the G5 eliminates this problem by handling both bands natively. See also the G2 vs G3 vs G4 vs G5 gateway comparison blog.

Gateway placement rule

Position the gateway within 3–7 metres of the lock for reliable Bluetooth relay. 9 metres is the stated maximum; 4.5–7 metres is the reliable real-world range. Avoid steel door frames and concrete walls between the gateway and the lock. See Chapter 08 — Gateway Placement for the full guidance.

For the operational perspective on gateway choice and the impact of the G2 vs G5 decision on day-to-day reliability, see the gateway choice section of our TTLock tips guide.

Beyond PIN codes and app-based access, TTLock-platform locks support several additional credential types. Availability varies by hardware model. For a broader overview of all access methods and how they compare, see Chapter 03 — Access Methods Comparison.

IC Cards (RFID): IC cards must be enrolled via the app while physically at the lock. Permanent or time-limited card access can be set. With a gateway connected, remote card issuance is possible. Without a gateway, cards must be enrolled in person. See Chapter 03 — RFID Card Access for how RFID credentials work and their advantages over PIN for multi-user environments.

Fingerprints: Enrolled via the app at the lock. Multiple fingerprint entries per user are supported. The recommended technique is to enrol the same finger at three slightly different angles, plus a backup finger from the non-dominant hand — this significantly improves recognition reliability across different conditions. See the fingerprint enrolment technique in our tips guide for the full method. See also Chapter 03 — Fingerprint Access for failure modes and when biometric access suits your application.

Touch-to-Unlock (Bluetooth): When Touch-to-Unlock is enabled, touching the keypad while the TTLock app is open and the phone is within Bluetooth range unlocks the door without entering a PIN. It is enabled by default and can be disabled in app settings. See the Touch-to-Unlock guide for when to disable it and how. For the broader context of Bluetooth-based access, see Chapter 03 — Bluetooth Access.

Two-Factor Unlock: TTLock supports requiring two credentials simultaneously — fingerprint plus PIN, or IC card plus PIN. Appropriate for NDIS housing staff access, secure commercial doors, or safe rooms. See the two-factor unlock guide for which situations warrant it and which do not.

TTLock's open SDK and API is the primary reason the platform is popular among multi-property Airbnb and short-stay operators. Property Management System (PMS) platforms can connect to the TTLock API and automatically create, modify, and delete time-limited passcodes based on booking data — without any manual intervention from the host.

PMS platforms that integrate with TTLock in Australia include Hostaway, Guesty, Lodgify, and RemoteLock. API-level access is also available through Seam, which connects TTLock to a wider range of downstream tools. See PMS platforms that integrate with TTLock for the full list and how each works. For how multi-property operators scale this, see Chapter 07 — Property Management Systems and Chapter 07 — Multi-Property Management.

No native Airbnb integration in Australia

Airbnb's direct smart lock integration — where Airbnb itself generates and sends access codes automatically within the Airbnb app — is available in the United States and Canada only, and supports Schlage, Yale, and August locks only. Australian TTLock operators cannot use Airbnb's native lock integration. Automation requires a third-party PMS. In contrast, Igloohome's Airbnb Connect feature does work in Australia. See the Australian clarification in our TTLock Airbnb guide for the full picture.

For a detailed guide to setting up TTLock with a PMS for Airbnb, see what changes with a gateway and PMS. For the Airbnb use-case comparison between TTLock and Igloohome, see Chapter 07 — Igloohome vs TTLock/McGrath.

Built into every TTLock account at no additional cost, Attendance Management turns the lock into a staff check-in system. It is designed for commercial use cases: offices, retail tenancies, NDIS group homes with paid staff, and any environment where arrival and departure times need to be logged.

When enabled on a lock, the system records the time of each access event by credential. The app generates monthly statistics showing arrival times, departure times, late arrivals, and early departures against a configurable schedule. A holiday calendar can be set to exclude public holidays. Three check-in methods are supported: app unlock, passcode entry, and IC card.

The feature is toggled on or off per lock in the lock settings. It does not affect normal access operation — the lock works identically with Attendance Management on or off. The difference is whether the platform is actively building a timesheet from the access log.

Where Attendance Management is most useful in Australia

Offices where staff entry time is relevant for payroll or compliance · Retail tenancies where opening and closing times need verification · NDIS supported living properties where staff shift records are needed · Property management companies tracking when contractors access managed properties. For NDIS-specific context, see Chapter 09 — NDIS Funding and our guide to which lock suits your NDIS project.

TTLock is a capable platform. It is also missing features that some buyers will care about. The table below compares TTLock against the platforms most likely to come up in an Australian buying decision.

If reliable access without internet at the property is your priority

TTLock requires a gateway and a functioning internet connection for remote access and time-limited passcode automation. If internet reliability is a genuine concern — a remote holiday home, a coastal property on a mobile data connection, or a location with unreliable NBN — Igloohome's algoPIN technology validates time-limited codes locally on the lock and may be a better fit. See our guide on how Igloohome works without WiFi for the technical explanation.

A note on Tuya

Tuya is the other dominant global smart lock platform alongside TTLock — it powers a large proportion of Chinese-manufactured smart locks available on Amazon and grey import channels in Australia. GCSL does not stock Tuya-platform locks because they are not distributed through Australian locksmith trade channels and do not have the installer support infrastructure required for professional installation. For a full comparison of the two platforms, see our TTLock vs Tuya guide.

For Australian Airbnb and short-stay operators, TTLock and Igloohome are the two platforms that matter most. They take fundamentally different approaches. See Chapter 07 — The Two Main Approaches for the foundational framing of this decision.

Use this decision framework:

• No reliable internet at the property → Igloohome. AlgoPIN works without internet. See which Airbnb setup is right for you for the decision flow.
• Multi-property, PMS-automated, confirmed reliable internet → TTLock. Broader PMS ecosystem and lower hardware cost favour TTLock at scale. See scaling TTLock across multiple properties.
• Budget is a primary constraint → TTLock. Hardware and gateway costs are consistently lower.
• Airbnb Connect required (AU) → Igloohome. TTLock has no native Airbnb integration in Australia. See how Airbnb Connect works.
• Apple HomeKit required → Yale. See Yale brand profile and Yale Home in Chapter 15.
• Privacy-first, no cloud, Bluetooth proximity only → Carbine Connect. The CEL2-BT range stores no event data in the cloud and requires no internet connection for any function. See Carbine Connect in Chapter 15.
• Still unsure which platform fits your situation? See Five Questions That Decide Your Platform → — a structured decision tool that narrows to a specific recommendation in under two minutes.

For the Airbnb-specific WiFi decision in full detail, see Igloohome vs TTLock/McGrath at a glance and when TTLock is the right answer and when Igloohome will serve you better. For a platform-to-scenario decision table, see Chapter 15 — Choosing the Right Platform →

In March 2024, CERT/CC (the US Computer Emergency Readiness Team Coordination Centre) published advisory VU#949046 documenting multiple unpatched vulnerabilities in Sciener firmware — the same firmware that powers TTLock-platform locks including McGrath, Lockton, and Austyle. Sciener was notified in November 2023 and had not responded publicly as of the March 2024 disclosure.

We document these in full because trade-grade honesty serves buyers better than omission. The critical context is at the bottom of this section.

The critical context — Bluetooth proximity required for all exploits

Every single CVE listed above requires the attacker to be within approximately 10 metres of the lock — physically present at or very near your door. There is no known remote exploit operating over the internet. A motivated, technically sophisticated attacker must be physically standing at your door with specialised equipment. For the vast majority of residential, Airbnb, and small commercial applications in Australia, this substantially limits the practical risk. These are real vulnerabilities; their real-world exploitability is constrained by the physical presence requirement.

Data sovereignty

All lock event logs and remote commands sent through a connected TTLock gateway transit Sciener's servers, which are hosted in China. Bluetooth-only operation stores nothing in the cloud — event logs remain on the lock and are retrieved locally when the app connects via Bluetooth. For most residential and Airbnb use cases, data transiting through Chinese servers is an accepted consideration. For NDIS providers, body corporate managers, commercial property operators, or any environment where data sensitivity or regulatory compliance is a factor, this warrants explicit consideration before selecting TTLock as the platform. There is no Australian-hosted alternative on this platform. See the cross-platform security and data sovereignty table in Chapter 15, and the TTLock-specific CVE security assessment →, for a comparative view.

Mitigations

1. Keep firmware updated — check via TTLock app → Lock Settings → Firmware Version. Update when prompted. Firmware updates are the primary mechanism by which Sciener can address these vulnerabilities.
2. Treat deleted eKeys as potentially still active — given CVE-2023-6960, prefer passcode-based access for guests and temporary users rather than eKeys where possible. If you do use eKeys, revoke them promptly after use and do not assume deletion removes access from the lock hardware immediately.
3. Revoke unused eKeys regularly — audit your active eKeys periodically and remove any that are no longer needed.
4. Use passcodes for guest access — time-limited passcodes rather than eKeys for Airbnb and short-stay guests eliminates the eKey persistence risk for that use case.
5. Ensure your home network is secured — a properly secured home network (strong WiFi password, up-to-date router firmware) is a basic prerequisite for gateway operation.
6. Disable the Tamper Alert toggle on all McGrath, Lockton, and Austyle locks. The hardware to support it is not present in these models. Enabling it causes phantom alerts. See why McGrath locks do not support Tamper Alert and the Tamper Alert leave-it-off guidance in our tips blog · FAQ: Tamper Alert going off constantly →.

For very high-security applications

If the protected area contains high-value assets, sensitive data, or requires compliance with security standards (government, financial, healthcare), TTLock may not be the right platform. Enterprise-grade access control solutions from Dormakaba, Salto, or SMARTair provide more rigorous audit, encryption, and update processes. See Chapter 10 — Commercial and Institutional Specialists for these alternatives.

By comparison, Carbine Connect's Bluetooth-only architecture means no event data ever transits any server — cloud or otherwise. An independent penetration test by SilentGrid (an Australian cybersecurity firm) confirmed the CEL2-BT platform as low-risk with one-time-use encryption keys eliminating replay attacks. For the full comparison, see Carbine Connect in Chapter 15 and our Carbine Connect platform guide.

TTLock Tips, Tricks and Hidden Features

The operational companion to this chapter — passcode gotchas, fingerprint technique, gateway troubleshooting, and hidden settings for Australian users.

Using TTLock for Airbnb in Australia

How gateways, PMS platforms, and passcode scheduling work together for short-stay rental automation. The practical setup guide.

TTLock vs Tuya — The Two Global Platforms

Why these two platforms dominate globally, how they differ, and what Australian buyers should know before choosing.

Airbnb Smart Locks: Do You Really Need WiFi?

The decision framework for choosing between TTLock's connected approach and Igloohome's offline algoPIN technology.

Chapter 08 — Smart Lock Gateway Comparison

Full specs and selection guide for the G2, G3, G4, and G5 gateways including band-steering diagnosis and placement rules.

Chapter 15 — Smart Lock App Platforms Guide

How TTLock, Igloohome, Yale Home and Carbine Connect compare across architecture, security, data sovereignty and use-case fit.

TTLock User Manual (PDF)

The complete official 56-page TTLock app manual covering every feature and setting. Also available as an app overview video or the McGrath Locks App how-to video for Australian context.

Chapter 07 — Smart Locks for Airbnb & Short-Stay

The full Airbnb platform decision guide — algoPIN vs gateway, Airbnb Connect, Igloohome vs TTLock comparison table.

Not sure which TTLock setup is right for your property?

Whether you need a single residential lock or a multi-property Airbnb system, our team can help you choose the right hardware and configuration before you commit.

Get a Recommendation (07) 5560 1867

Disclaimer: Platform features, third-party PMS integrations, and app functionality change over time with firmware and platform updates. CVE information reflects the CERT/CC advisory VU#949046 published March 2024. Verify current security status and capabilities with your supplier before purchasing. Security vulnerability disclosures should be checked against the most current CERT/CC advisories at kb.cert.org.

Terry's Gold Coast Smart Locks Ready to shop? Browse our full range — same team, same expert advice.

Shop All Locks → Get Expert Advice (07) 5560 1867