---
title: Device registration
description: Reference information for Device registration in Zero Trust.
image: https://developers.cloudflare.com/zt-preview.png
---

> Documentation Index  
> Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt  
> Use this file to discover all available pages before exploring further.

[Skip to content](#%5Ftop) 

### Tags

[ REST API ](https://developers.cloudflare.com/search/?tags=REST%20API) 

# Device registration

A device registration represents an individual session of the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) on a physical device, linking a user (or service token) and the device to your [Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/setup/#2-create-a-zero-trust-organization). It is created the first time the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) authenticates on that device.

Each device registration includes a unique public key, [device profile](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/), and [virtual IP addresses](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-ips/) (one IPv4 and one IPv6) that identify the device on your network.

A single physical device can have [multiple device registrations](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-multiuser/), for example, if multiple users share a single laptop and each enrolls the Cloudflare One Client with their own credentials.

## Key concepts

| Concept                                                                                                               | Definition                                                                                                                                                                                                                                                                                                                                                                                                                     |
| --------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| [User](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/seat-management/#manage-users)       | A person whose identity is verified through your identity provider (IdP) and who can enroll devices in your Zero Trust organization.                                                                                                                                                                                                                                                                                           |
| [Seat](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/seat-management/)                    | A billable unit consumed when a user authenticates to your Zero Trust organization. Each user occupies one seat regardless of how many devices they enroll. Service tokens do not consume seats.                                                                                                                                                                                                                               |
| [Service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/) | Credentials used by automated systems to authenticate against your Cloudflare One policies.                                                                                                                                                                                                                                                                                                                                    |
| Device registration                                                                                                   | An individual session of the Cloudflare One Client on a physical device, with its own public key, [device profile](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/), and [virtual IP addresses](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-ips/) (one IPv4 and one IPv6). |
| [Session](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/)       | A time-limited JSON Web Token (JWT) that controls how long a user can access an Access application before re-authenticating. Unlike sessions, a device registration is persistent — it does not expire and exists until you delete it.                                                                                                                                                                                         |

## Review device registration status

* [ Dashboard ](#tab-panel-5254)
* [ API ](#tab-panel-5255)

To review how many device registrations are associated with a device:

1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/) and go to **Zero Trust** \> **Teams & Resources** \> **Devices**.
2. Select a device and select **View details**.
3. Scroll down to **Users** and review users who enrolled on this device.

To review a device registration's status:

1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Teams & Resources** \> **Devices**.
2. Select the device and select **View details**.
3. Scroll down to **Users** and find the user associated with the device.
4. Review the status (such as `Active` or `Revoked`) of the device registration under **Status**.

To get a list of all device registrations, including active and revoked registrations:

List registrations

```

curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/registrations?status=all&per_page=50" \

  --request GET \

  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"


```

```

{

    "created_at": "2026-01-26T19:27:49.770372Z",

    "device": {

      "client_version": "2025.10.186",

      "id": "11ffb86f-3f0c-4306-b4a2-e62f872b166a",

      "name": "My Device"

    },

    "id": "11ffb86f-3f0c-4306-b4a2-e62f872b166a",

    "key": "<U+QTP50RsWfeLGHF4tlGDnmGeuwtsz46KCHr5OyhWq00Rsdfl45mgnQAuEJ6CO0YrkyTl9FUf5iB0bwYR3g4EEFEHhtu6jFaqfMrBMBSz6itv9HQXkaR9OieKQ==",

    "key_type": "secp256r1",

    "last_seen_at": "2026-01-29T00:57:57.925979Z",

    "revoked_at": "2026-01-29T00:58:16.704026Z",

    "tunnel_type": "masque",

    "updated_at": "2026-01-29T00:58:16.704026Z",

    "user": {

      "email": "user@example.com",

      "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",

      "name": ""

    }

  },


```

A `revoked_at` timestamp indicates that the device registration has a [revoked status](#registration-status). If `revoked_at` is null or not present, it means the registration status is active.

A deleted device registration is permanently removed from the account and no longer appears in your device list. Deletion is permanent and requires re-registering the device.

Device registrations will automatically re-register

Deleting or revoking a device registration is not permanent without [removing user access](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/device-registration/#remove-user-access) and [removing service token access](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/device-registration/#remove-service-token-access).

If the user or service token can successfully re-authenticate, a new device registration will be automatically created following a deletion or revocation.

### Registration status

Registrations can have the following statuses:

| Status      | Description                                                                                                  |
| ----------- | ------------------------------------------------------------------------------------------------------------ |
| **Active**  | Registered and able to connect via the Cloudflare One Client. This is the expected operational state.        |
| **Revoked** | The registration's public key is invalidated. Revocation does not release the assigned virtual IP addresses. |

## Manage device registrations

The following table summarizes the actions available for managing device registrations and devices. For all actions, if the user or service token can still re-authenticate, a new registration will be created automatically. To permanently remove access, refer to [Device management](#device-management).

| Action                                                 | What it does                                                                                             | Virtual IPs released? | When to use                                                                                  |
| ------------------------------------------------------ | -------------------------------------------------------------------------------------------------------- | --------------------- | -------------------------------------------------------------------------------------------- |
| [Delete a registration](#delete-a-device-registration) | Permanently removes a single device registration and its configuration.                                  | Yes                   | You want to fully remove a user's enrollment from a device and free up the virtual IP.       |
| [Revoke a registration](#revoke-a-device-registration) | Invalidates the registration's public key, blocking it from connecting. The registration record remains. | No                    | You want to temporarily block a device from connecting but preserve the registration record. |
| [Delete a device](#delete-a-device)                    | Removes the physical device record and all its associated registrations.                                 | Yes                   | You want to fully remove a device and all associated registrations.                          |

### Delete a device registration

Devices can have multiple device registrations. Deleting one registration does not affect other registrations on the same device.

* [ Dashboard ](#tab-panel-5256)
* [ API ](#tab-panel-5257)

To delete a device registration:

1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Teams & Resources** \> **Devices**.
2. Select the device > **View details**.
3. Go to **Users** and mark the checkbox next to the device registration you want to delete.
4. Select **Action** \> _Delete access_.

To delete a single device registration using the [API](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/devices/subresources/registrations/methods/delete/):

Required API token permissions

At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required:
* `Zero Trust Write`

Delete registration

```

curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/registrations/$REGISTRATION_ID" \

  --request DELETE \

  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"


```

To bulk delete multiple device registrations:

```

curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/device/registrations/registrations?id=reg_id_1&id=reg_id_2&id=reg_id_3" \

  --request DELETE\

  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"


```

The device registration is now permanently deleted, and its virtual IP address is released back into the available pool for reassignment.

Automatic device re-registration

If you delete a device registration, but the Cloudflare One Client remains installed and is successfully able to re-authenticate, a new device registration will be created for the user or service token. For long-term, permanent denial of access, you should [remove the user from your device enrollment policies or your IdP](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/device-registration/#remove-user-access) or [remove service token access](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/device-registration/#remove-service-token-access).

### Revoke a device registration

Revoking a device registration invalidates its associated public key, which disallows the specific device registration from connecting to Cloudflare's network. Revoking a device registration does not release the virtual IPs that are assigned to the registration. Because virtual IPs are a finite resource, Cloudflare strongly advises deleting a registration rather than revoking it.

Automatic unrevocation

If a user re-authenticates while the device registration is revoked, a new device registration will be created for the user. For long-term, permanent denial of access, you should [remove the user from your device enrollment policies or your IdP](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/device-registration/#remove-user-access) and [remove service token access](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/device-registration/#remove-service-token-access).

1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Teams & Resources** \> **Devices**.
2. Select the device and select **View details**.
3. To revoke access, select **Revoke access**. This revokes access for all associated registrations on the device.
4. To unrevoke access, scroll down to the **Users** section and select one or more users using the checkbox. Select **Actions** \> **Unrevoke access**.

### Delete a device

Deleting a device removes the physical device from your Cloudflare Zero Trust account. This action automatically deletes all associated device registrations.

Devices that have zero active registrations (because all registrations were deleted) are hidden by default in Cloudflare One > **Teams & Resources** \> **Devices** table. You may need to adjust the filter to view devices with zero device registrations.

Automatic device re-creation

If you delete a device record, but the Cloudflare One Client remains installed and a user or service token is successfully able to re-authenticate, a device record will be automatically created in your dashboard with a new device registration. For permanent deletion, you should [remove service token access](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/device-registration/#remove-service-token-access).

To delete a device:

1. In Cloudflare One > **Teams & Resources** \> **Devices**.
2. Select the device and select **View details**.
3. Select **Delete**.

## Device management

Seat management (billing) and access management are separate processes. Deleting a device registration does not free up the user's seat or block them from accessing internal resources. To fully remove a user's access, you must take additional steps as described below.

### Remove user access

Deleting or revoking a registration will not be permanent if the user can re-authenticate. To prevent a user from re-authenticating and creating new device registrations, you must remove them from your [device enrollment policies](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/device-enrollment/) or from your Identity Provider (IdP).

* If your device enrollment policies allow a broad domain (for example, `@company.com`), remove the user from your IdP. This prevents the user from authenticating through Access, effectively blocking them from enrolling devices.
* If your device enrollment policies list specific user emails (for example, `sally@company.com`), you must remove that specific email from your device enrollment policies. Additionally, you can add an explicit Exclude rule for that user to the policy.

After you have removed user access, to fully decommission a device, [remove service token access](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/device-registration/#remove-service-token-access), if any exists. Devices with existing registrations will remain connected to Cloudflare until those specific device registrations are manually deleted.

### Remove service token access

If you delete a service token's device registration, a new device registration for the service token will be automatically created without user interaction. For device registration deletion to be permanent, you must update your device enrollment policies to remove the service token.

To block a service token from re-authenticating, you must either:

1. Delete the enrollment policy associated with the token, or modify the enrollment policy to no longer include the token (by removing its specific Include rule).
2. (Optional) [Delete the service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/).  
 You cannot use this service token to create new registrations.  
 You cannot delete a service token while it is attached to a device enrollment policy.
3. Delete the service token [device registration](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/device-registration/#delete-a-device-registration).
4. (Optional) To fully decommission a device, [remove user access](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/device-registration/#remove-user-access), if any exists. Devices with existing registrations will remain connected to Cloudflare until those specific device registrations are manually deleted.

Impact on existing registrations

If a single service token was used to enroll multiple devices, removing that token from your enrollment policies prevents all those devices from re-registering. Devices with existing registrations will remain connected to Cloudflare until those specific device registrations are manually deleted.

### Seat management (billing)

Deleting a device or a device registration does not affect [seat usage](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/seat-management/). Seats are tied to the user identity, not to individual devices.

To stop a user from consuming a seat, you must remove the user from your Zero Trust Organization.

Removing a user from your Zero Trust Organization will free up the seat the user consumed. The user will still appear in your list of users.

To remove a user from your Zero Trust Organization:

1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Team & Resources** \> **Users**.
2. Select the checkbox next to a user with an **Active** status in the **Seat usage** column.
3. Select **Action** \> **Remove users**.
4. Select **Remove**.

The user will now show as **Inactive** and will no longer occupy a seat. If a user is removed but authenticates later, they will consume a seat again. To prevent a user from authenticating, you must remove them from your [device enrollment policies](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/device-enrollment/) or from your Identity Provider (IdP).

To automate the removal of users who have not logged in or triggered a device enrollment in a specific amount of time, turn on [seat expiration](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/seat-management/#enable-seat-expiration) or utilize [SCIM](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim/) to remove users when they are deactivated in your identity provider.

User record persistence

You cannot delete or archive a user record. You can [remove a user](#remove-a-user) from a seat, but their user record will remain in your Zero Trust Organization. Inactive users do not count towards billing.

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/team-and-resources/","name":"Team and resources"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/team-and-resources/devices/","name":"Devices"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/team-and-resources/devices/device-registration/","name":"Device registration"}}]}
```