Device registration
A device registration represents an individual session of the WARP client on a physical device, linking a user (or service token) and the device to your Zero Trust organization. A device registration is created when the WARP client first authenticates. Each device registration has associated configuration, which includes a unique public key, device profile, and virtual IP addresses (one IPv4 and one IPv6).
A single physical device can have multiple device registrations, for example, if multiple users share a single laptop and each enrolls the WARP client with their own credentials.
| Concept | Definition |
|---|---|
| User | An identity provider (IdP)-backed human identity that can connect new devices to your Zero Trust organization. |
| Seat | A unique, billable user within your Zero Trust organization who has performed an authentication event. Service tokens do not consume seats. |
| Service token | A token used by automated systems (a non-human identity) to authenticate against your Cloudflare One policies. |
| Device registration | An individual session of the WARP client on a physical device, with associated configuration including a unique public key, device profile, and virtual IP addresses (one IPv4 and one IPv6). |
| Session | JSON Web Tokens (JWTs) that are generated when Access validates user identity against your Access policies and determines how long a user can access an Access application without re-authenticating. Unlike these session-based tokens, device registration is a persistent state that does not expire and will exist until permanently deleted. |
To review how many device registrations are associated with a device:
- Log into Cloudflare One ↗ and go to Teams & Resources > Devices.
- Select a device and select View details.
- Scroll down to Users and review users who enrolled on this device.
To review a device registration's status:
- In Cloudflare One ↗, go to Teams & Resources > Devices.
- Select the device and select View details.
- Scroll down to Users and find the user associated with the device.
- Review the status (such as
ActiveorRevoked) of the device registration under Status.
Registrations can have the following statuses:
| Status | Description |
|---|---|
| Active | Registered and able to connect via WARP. This is the expected operational state. |
| Revoked | The registration's public key is invalidated. Revocation does not release the assigned virtual IP addresses. |
A deleted device registration is permanently removed from the account and no longer appears in your device list. Deletion is permanent and requires re-registering the device.
Devices can have multiple device registrations. Deleting one registration does not affect other registrations on the same device.
To delete a device registration:
- In Cloudflare One ↗, go to Teams & Resources > Devices.
- Select the device > View details.
- Go to Users and mark the checkbox next to the device registration you want to delete.
- Select Action > Delete access.
Revoking a device registration invalidates its associated public key, which disallows the specific device registration from connecting to Cloudflare's network. Revoking a device registration does not release the virtual IPs that are assigned to the registration. Because virtual IPs are a finite resource, Cloudflare strongly advises deleting a registration rather than revoking it.
- In Cloudflare One ↗, go to Teams & Resources > Devices.
- Select the device and select View details.
- To revoke access, select Revoke access. This revokes access for all associated registrations on the device.
- To unrevoke access, scroll down to the Users section and select one or more users using the checkbox. Select Actions > Unrevoke access.
Deleting a device removes the physical device from your Cloudflare Zero Trust account. This action automatically deletes all associated device registrations.
Devices that have zero active registrations (because all registrations were deleted) are hidden by default in Cloudflare One > Teams & Resources > Devices table. You may need to adjust the filter to view devices with zero device registrations.
To delete a device:
- In Cloudflare One > Teams & Resources > Devices.
- Select the device and select View details.
- Select Delete.
Seat management (billing) and access management are separate processes. Deleting a device registration does not remove seat usage nor access to internal company resources.
Deleting or revoking a registration will not be permanent if the user can re-authenticate. To prevent a user from re-authenticating and creating new device registrations, you must remove them from your device enrollment policies or from your Identity Provider (IdP).
- If your device enrollment policies allow a broad domain (for example,
@company.com), remove the user from your IdP. This prevents the user from authenticating through Access, effectively blocking them from enrolling devices. - If your device enrollment policies list specific user emails (for example,
sally@company.com), you must remove that specific email from your device enrollment policies. Additionally, you can add an explicit Exclude rule for that user to the policy.
After you have removed user access, to fully decommission a device, remove service token access, if any exists. Devices with existing registrations will remain connected to Cloudflare until those specific device registrations are manually deleted.
If you delete a service token's device registration, a new device registration for the service token will be automatically created without user interaction. For device registration deletion to be permanent, you must update your device enrollment policies to remove the service token.
To block a service token from re-authenticating, you must either:
- Delete the enrollment policy associated with the token, or modify the enrollment policy to no longer include the token (by removing its specific Include rule).
- (Optional) Delete the service token.
You cannot use this service token to create new registrations.
You cannot delete a service token while it is attached to a device enrollment policy. - Delete the service token device registration.
- (Optional) To fully decommission a device, remove user access, if any exists. Devices with existing registrations will remain connected to Cloudflare until those specific device registrations are manually deleted.
Deleting a device or a device registration does not affect seat usage. Seats are tied to the user identity, not to individual devices.
To stop a user from consuming a seat, you must remove the user from your Zero Trust Organization.
Removing a user from your Zero Trust Organization will free up the seat the user consumed. The user will still appear in your list of users.
To remove a user from your Zero Trust Organization:
- In Cloudflare One ↗, go to Team & Resources > Users.
- Select the checkbox next to a user with an Active status in the Seat usage column.
- Select Action > Remove users.
- Select Remove.
The user will now show as Inactive and will no longer occupy a seat. If a user is removed but authenticates later, they will consume a seat again. To prevent a user from authenticating, you must remove them from your device enrollment policies or from your Identity Provider (IdP).
To automate the removal of users who have not logged in or triggered a device enrollment in a specific amount of time, turn on seat expiration or utilize SCIM to remove users when they are deactivated in your identity provider.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2026 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-
