cloudflare · deadlypants1973 · Nov 21, 2025 · Nov 21, 2025 · Nov 21, 2025 · Nov 27, 2025
@@ -0,0 +1,107 @@
+---
+pcx_content_type: reference
+title: Device registration
+sidebar:
+  order: 3
+---
+
+import { TabItem, Tabs } from "~/components";
+
+A device registration is made when a user, approved by the Zero Trust organization, puts a device onto Cloudflare. A device registration status indicates the current state of a device registration, such as `Active`, `Revoked`, or `Deleted`.
+
+## Device registration
+
+A device registration represents the identity a device uses to connect through WARP. Each registration represents a specific combination of user and device. A user is an identity from your identity provider (IdP) that can consume a [seat](/cloudflare-one/team-and-resources/users/seat-management/).
+
+Cloudflare authenticates each device registration with a public key. A single device may have multiple device registrations, such as in a shared-device environment where multiple users share and use a single device. Each device registration's public key is unique to the device and user.
+
+:::tip[Check a device's registrations]
+
+Review how many device registrations are associated with a device by logging into [Cloudflare One](https://one.dash.cloudflare.com/) and going to **Teams & Resources** > **Devices** > select a device > **View details** > scroll down to **Users** and review users who enrolled on this device.
+
+:::
+
+The onboarding process for Cloudflare One starts with creating your [Zero Trust organization](/cloudflare-one/setup/#create-a-zero-trust-organization) and configuring an identity provider (IdP) or one-time pin for user authentication. After setting up the login method, administrators define [device enrollment permissions](/cloudflare-one/team-and-resources/devices/warp/deployment/device-enrollment/) to define which users should be able to connect devices to your organization.
+
+Whether the WARP client is installed manually by a user or deployed through an MDM solution, a device registration is created when the WARP client first authenticates.
+
+| Concept | Definition |
+|--------|------------|
+| User | An IdP-backed human identity that can connect new devices to your Zero Trust organization. |
+| Seat | definition needed |
+| [Service token](/cloudflare-one/access-controls/service-credentials/service-tokens/) | Used by automated systems (a non-human identity) to authenticate against your Cloudflare One policies. |
+| Device registration | A public key, associated to a user and device, used by WARP to connect to Cloudflare's network. |
+| [Session](/cloudflare-one/access-controls/access-settings/session-management/) | JSON Web Tokens (JWTs) that are generated when Access validates user identity against your Access policies and determines how long a user can access an Access application without re-authenticating. |
+
+## Device registration statuses
+
+Registrations can have the following statuses:
+
+| Status | Description |
+| --- | --- |
+| **Active** | Registered and able to connect via WARP. This is the expected operational state. |
+| **Revoked** | The registration's public key is invalidated, preventing the device from connecting. The device registration can be unrevoked manually or via WARP re-authentication. |
+| **Deleted** | The registration is permanently removed from the account and no longer appears in your device list. Deletion is permanent and requires re-registering the device. |
+
+:::caution[Revocation has no practical usefulness]
+
+The WARP clients automatically re-registers when it detects that a device registration has been revoked. As a result, the **Unrevoke** action has no practical effect and will be phased out in the near future.
+
+:::
+
+To check your device status:
+
+1. Log into [Cloudflare One](https://one.dash.cloudflare.com/).
+2. Go to **Teams & Resources** > **Devices**.
+3. Select the device and select **View details**.
+4. Scroll down to **Users** and find the user associated with the device.
+5. Review the status (such as `Active` or revoked) of the device registration under **Status**.
+
+## Revoke and unrevoke access
+
+Revoke access when you need to prevent a device from connecting (for example, if a work laptop is stolen) while still allowing the user to register a new device.
-Revoke access when you need to prevent a device from connecting (for example, if a work laptop is stolen) while still allowing the user to register a new device.
+Revoking a registration invalidates its public key, but if a user is able to re-authenticate with a successful login attempt,  the device will continue to connect. 
-Revoke access when you need to prevent a device from connecting (for example, if a work laptop is stolen) while still allowing the user to register a new device.
+Revoking a registration invalidates its public key, but if a user is able to re-authenticate with a successful login attempt,  the device will continue to connect. 
+
+- Revoking disallows the device from connecting to Cloudflare's network. The public key remains on the device during revocation.
+- Unrevoking reuses the same public key and re-authenticates the device to grant access again.
+
+TODO: add revoke and unrevoke instructions
+
+<Tabs>
+<TabItem label="Dashboard">
+
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Teams & Resources** > **Devices**.
+2. Select the device and select **View details**.
+3. To revoke access, select **Revoke access**. This revokes access for all associated registrations on the device.
+4. To unrevoke access, scroll down to the **Users** section and select one or more users using the checkbox. Select **Actions** > **Unrevoke access**.
+
+</TabItem>
+<TabItem label="API">
+
+- [Revoke a device](/api/resources/zero_trust/subresources/devices/subresources/revoke/)
+- [Revoke a registration](/api/resources/zero_trust/subresources/devices/subresources/registrations/methods/revoke/)
+
+</TabItem>
+</Tabs>
+
+:::caution
+
+Device revocation does not change [seat usage](/cloudflare-one/team-and-resources/users/seat-management/). To stop a user from consuming a seat, [remove the user](/cloudflare-one/team-and-resources/users/seat-management/#remove-a-user) from your organization.
+
+:::
+
+## Delete a registration
+
+Deleting a registration permanently removes it from your account. If you delete a registration, you will need to re-register the device to connect to your organization.
+
+You can delete a registration by: TODO: add delete instructions
+
+- Using the Zero Trust dashboard.
+- Running `warp-cli registration delete` on the device.
+- Using the [API](/api/resources/zero_trust/subresources/devices/subresources/devices/methods/delete/).
+- Uninstalling the WARP client (may automatically delete the registration).
+
+:::caution
+
+Deleting a device registration does not change [seat usage](/cloudflare-one/team-and-resources/users/seat-management/). To stop a user from consuming a seat, you must [remove the user](/cloudflare-one/team-and-resources/users/seat-management/#remove-a-user) from your organization.
+
+:::