# GembaTicket > Non-custodial, NFT-powered event ticketing with a full organizer suite. Buyers pay with card, crypto, or PayPal and get a rotating-QR ticket instantly — no wallet required. Organizers ship events end-to-end: create, deploy on-chain, sell, scan at the door, and reconcile — all in one dashboard. Every ticket is an ERC-721 or ERC-1155 NFT on Ethereum-compatible chains. GembaTicket is operated by **GEMBA EOOD** (EIK 208656371), Varna, Bulgaria. The platform is split into four public surfaces: - **Storefront** (`gembaticket.com`) — browse events, buy tickets, view rotating-QR tickets, and optionally claim the NFT to a self-custodial wallet. - **Organizer dashboard** (`dashboard.gembaticket.com`) — create events, upload metadata to IPFS, deploy the on-chain contract, manage zones, provision scanner devices, and review per-event on-chain action history. - **Scanner PWA** (`scanner.gembaticket.com`) — installable app for door staff; validates rotating QRs against the API with offline-queue support (Dexie/IndexedDB). - **Platform admin** (`admin.gembaticket.com`) — internal operator tooling, master-key gated. Payments flow through **GembaPay** (sister product — card, crypto, PayPal). Event contracts are **EIP-1167 minimal-proxy clones** of UUPS-upgradeable templates (`EventContract721` / `EventContract1155`), audited with **Slither 0/0/0 + Mythril 0/0/0 + 220 functional assertions**. ## Core concepts - **Ghost wallets** — guests who buy without a wallet get a server-held wallet keyed to their email. They can migrate to self-custody later via "Claim NFT" — completely gasless. - **Two token standards** — organizers pick **ERC-721** (one NFT per ticket) or **ERC-1155** (typed/tiered supply; VIP/Standard/etc. as token IDs). - **EIP-712 claim signatures** — the platform signs `(contractAddress, typeId?, claimHash, walletAddress)`; the buyer's wallet submits `claimTicket(...)` on-chain. The platform never broadcasts the mint. - **SPA-triggered finalization** — after the buyer's tx confirms, the storefront `POST /api/claim/confirm { ticketId, txHash }` so the UI flips to "claimed" in seconds. The `eventListener` worker is the independent fallback. - **RPC resilience** — all Sepolia traffic flows through a 15-endpoint fallback pool; public nodes are tried first so keyed endpoints (Infura/Alchemy/QuickNode/Moralis) don't burn their quota. - **OTP-gated purchases** — guest purchases require a 6-digit email code to prevent typo'd or fake emails from burning inventory. - **OTP-gated logins** — password-based logins send a 6-digit code by default; users can disable per-account. - **SIWE** — wallet-only users sign in with Ethereum — no password, no OTP. - **Auto-refreshing QR** — ticket QRs rotate every 30 seconds so screenshots can't be reused at the door. - **Zones** — named, colored regions of an event (e.g. VIP / Standard / Backstage). Each zone has a numeric level shared between ticket types and scanner access rules. - **Scanner devices** — organizer-provisioned API keys (format `gtscan_<64 hex>`) that a door-scanner PWA exchanges for a short-lived JWT. Keys can be zone-scoped, have an optional expiry, and can be revealed again from the dashboard — revelations are audit-logged. - **AES-GCM key reveal** — scanner keys are stored both as a bcrypt hash (auth hot path) and as an AES-256-GCM ciphertext (reveal path), so organizers can re-copy a key later without rotating it. - **Paid on-chain actions** — supply increases, ticket-type toggles, sale toggles, etc. are all `gas + €5` via GembaPay. Reverted txs refund automatically. ## Pages - [Home](https://gembaticket.com/) — platform overview, featured events, how it works - [Events](https://gembaticket.com/events) — browse all upcoming events - [Event detail](https://gembaticket.com/events/:id) — event info, ticket types per zone, buy flow - [Ticket view](https://gembaticket.com/ticket/:id) — public ticket page with rotating QR and NFT claim - [Claim](https://gembaticket.com/claim/:ticketId) — one-click NFT claim to any EVM wallet - [My Tickets](https://gembaticket.com/my-tickets) — user dashboard (logged-in only) ## Surfaces (separate subdomains) - `dashboard.gembaticket.com` — organizer dashboard (auth-gated, not indexed) - `scanner.gembaticket.com` — door-scanner PWA (device-auth only, not indexed) - `admin.gembaticket.com` — platform admin (master-key gated, not indexed) - `api.gembaticket.com` — REST API - `listener.gembaticket.com` — blockchain event listener health - `ipfs.gembaticket.com` — IPFS gateway for event metadata ## Docs - [Architecture overview](https://github.com/ivanovslavy/gembaticket/blob/main/docs/ARCHITECTURE.md) - [API reference](https://github.com/ivanovslavy/gembaticket/blob/main/docs/API.md) - [Chain actions](https://github.com/ivanovslavy/gembaticket/blob/main/docs/CHAIN_ACTIONS.md) - [OTP flow](https://github.com/ivanovslavy/gembaticket/blob/main/docs/OTP_FLOW.md) - [Organizer dashboard](https://github.com/ivanovslavy/gembaticket/blob/main/docs/DASHBOARD.md) - [Frontend overview](https://github.com/ivanovslavy/gembaticket/blob/main/docs/FRONTEND.md) - [Backend overview](https://github.com/ivanovslavy/gembaticket/blob/main/docs/BACKEND.md) - [Scanner PWA](https://github.com/ivanovslavy/gembaticket/blob/main/docs/SCANNER.md) - [Platform admin](https://github.com/ivanovslavy/gembaticket/blob/main/docs/ADMIN_DASHBOARD.md) - [Deployment](https://github.com/ivanovslavy/gembaticket/blob/main/docs/DEPLOYMENT.md) - [Smart-contract audit](https://github.com/ivanovslavy/gembaticket/blob/main/blockchain/docs/audit_solidity.md) ## Chain Ethereum Sepolia today (chainId 11155111). ETH mainnet, Polygon, and Base are pre-wired in the RPC pool for rollout. ## Optional - [GitHub](https://github.com/ivanovslavy/gembaticket) — public docs + audits (source private; v3 on `main`, v2 audited contracts preserved on branch `v2-legacy`) - [README](https://github.com/ivanovslavy/gembaticket/blob/main/README.md) - Contact: hello@gembaticket.com