Core concepts

Device identity

Every device has a cryptographic identity it can prove, and that identity is the basis for everything the device is allowed to do.

A key that never leaves the device

When a device is enrolled, it generates its own private key locally and builds a certificate signing request from the matching public key. The platform signs a certificate for that public key and returns it. The private key never travels — not during enrollment, not afterward. The platform never holds the secret half of a device's identity.

On hardware that supports it, that key can be sealed in a secure element or TPM so it cannot be extracted even with physical access. Where such hardware is absent, the key is held in software with the same protocol around it.

Identity comes from the certificate, not the request

The device's name and the fleet it belongs to are encoded in its certificate as a structured identifier. Whenever a device connects, the platform reads its identity from the verified certificate presented during the mutual-TLS handshake — never from a field in the request body. A device therefore cannot impersonate another by asking nicely; it can only ever act as the identity its certificate carries.

Enrollment without hand-carrying keys

Onboarding is one command. An operator mints a short-lived enrollment token, bounded by an expiry and a use budget and revocable at any time. The device's installer presents that token once, proves possession of its freshly generated key, and receives back its signed certificate, the trust anchor it needs, and its configuration. No key material is hand-copied between machines.

Lifecycle

A device that is retired is decommissioned, not merely deleted: the platform refuses its identity going forward, and the device wipes its own key material when it learns it has been offboarded. The record of its time in the fleet remains in the audit trail.

See it for yourself