Device trust & revoke

Every device that connects to your app is tracked. Users can review the devices on their account and revoke any they no longer trust (a lost phone, an old laptop). You can also force-revoke any device from the dashboard. A revoked device is cut off immediately and permanently.

Trust model

Any device that completes a connection is implicitly trusted, there is no separate pairing or attestation step. The unit of trust is the device, identified by its deviceId. Revoking is permanent for that deviceId: the user can always register the device again, which produces a fresh identity.

Listing & revoking devices

// List the signed-in user's devices
const devices = await client.listMyDevices();

// Revoke one of them (e.g. a lost phone)
await client.revokeMyDevice('old-phone-device-id');

Handling revocation of the current device

When the device your app is running on gets revoked (by the user from another device, or by you from the dashboard), the SDK stops reconnecting and emits a DEVICE_REVOKED event. Listen for it, clear local key storage, and route the user to a re-registration screen.

client.onEvent(e => {
  if (e.type === 'DEVICE_REVOKED') {
    // This device is no longer trusted. Clear local keys
    // and send the user back to a sign-in / re-register screen.
  }
});

Dashboard control

The Devices page in the dashboard lists every device that has connected to your app, with its platform, SDK version, and last-seen time. Use it to audit access and force-revoke a device on a user's behalf, for example when handling a support request about a lost device.

Compatibility

Requires SDK 0.10.0+ on JavaScript, Android, and iOS. No protocol version change, the surface is REST plus an additive event type, so older SDKs keep working (they just don't expose the device methods).