I’ve actually built and designed a few of these systems (one for multifamily apartments, one for hotels). The basic approach I used in both was a small amount of onboard memory on the lock.

There are a number of “passes” defined (maintenance/cleaning, floor-level, admin, tenant/guest, etc). Some locks are connected over WiFi or zwave/ZigBee, or even through a cable running through the door frame + hinge. Upon scanning a card, the lock either checks the onboard memory or asks the server for validity. There are tradeoffs to both, but I will leave those out.

When the front desk issues a pass, they can also deactivate old passes, duplicate cards, etc. Then the connected lock receives the update and begins to reject the old card. This is the same mechanism used to extend a stay or check out early.

Some off the shelf systems utilize a programming “gun” with an authorization key. That key gets scanned at the door and then the gun updates the onboard memory. This is low sophistication but also works for disconnected systems or after power outages.

EDIT: proof. https://imgur.com/a/JF7sivR