Device registration
A device registration represents an individual session of the Cloudflare One Client on a physical device, linking a user (or service token) and the device to your Zero Trust organization. It is created the first time the Cloudflare One Client authenticates on that device.
Each device registration includes a unique public key, device profile, and virtual IP addresses (one IPv4 and one IPv6) that identify the device on your network.
A single physical device can have multiple device registrations, for example, if multiple users share a single laptop and each enrolls the Cloudflare One Client with their own credentials.
| Concept | Definition |
|---|---|
| User | A person whose identity is verified through your identity provider (IdP) and who can enroll devices in your Zero Trust organization. |
| Seat | A billable unit consumed when a user authenticates to your Zero Trust organization. Each user occupies one seat regardless of how many devices they enroll. Service tokens do not consume seats. |
| Service token | Credentials used by automated systems to authenticate against your Cloudflare One policies. |
| Device registration | An individual session of the Cloudflare One Client on a physical device, with its own public key, device profile, and virtual IP addresses (one IPv4 and one IPv6). |
| Session | A time-limited JSON Web Token (JWT) that controls how long a user can access an Access application before re-authenticating. Unlike sessions, a device registration is persistent — it does not expire and exists until you delete it. |
To review how many device registrations are associated with a device:
- Log into Cloudflare One ↗ and go to Teams & Resources > Devices.
- Select a device and select View details.
- Scroll down to Users and review users who enrolled on this device.
To review a device registration's status:
- In Cloudflare One ↗, go to Teams & Resources > Devices.
- Select the device and select View details.
- Scroll down to Users and find the user associated with the device.
- Review the status (such as
ActiveorRevoked) of the device registration under Status.
To get a list of all device registrations, including active and revoked registrations:
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/registrations?status=all&per_page=50" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"{ "created_at": "2026-01-26T19:27:49.770372Z", "device": { "client_version": "2025.10.186", "id": "11ffb86f-3f0c-4306-b4a2-e62f872b166a", "name": "My Device" }, "id": "11ffb86f-3f0c-4306-b4a2-e62f872b166a", "key": "<U+QTP50RsWfeLGHF4tlGDnmGeuwtsz46KCHr5OyhWq00Rsdfl45mgnQAuEJ6CO0YrkyTl9FUf5iB0bwYR3g4EEFEHhtu6jFaqfMrBMBSz6itv9HQXkaR9OieKQ==", "key_type": "secp256r1", "last_seen_at": "2026-01-29T00:57:57.925979Z", "revoked_at": "2026-01-29T00:58:16.704026Z", "tunnel_type": "masque", "updated_at": "2026-01-29T00:58:16.704026Z", "user": { "email": "user@example.com", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "name": "" } },A revoked_at timestamp indicates that the device registration has a revoked status. If revoked_at is null or not present, it means the registration status is active.
A deleted device registration is permanently removed from the account and no longer appears in your device list. Deletion is permanent and requires re-registering the device.
Registrations can have the following statuses:
| Status | Description |
|---|---|
| Active | Registered and able to connect via the Cloudflare One Client. This is the expected operational state. |
| Revoked | The registration's public key is invalidated. Revocation does not release the assigned virtual IP addresses. |
The following table summarizes the actions available for managing device registrations and devices. For all actions, if the user or service token can still re-authenticate, a new registration will be created automatically. To permanently remove access, refer to Device management.
| Action | What it does | Virtual IPs released? | When to use |
|---|---|---|---|
| Delete a registration | Permanently removes a single device registration and its configuration. | Yes | You want to fully remove a user's enrollment from a device and free up the virtual IP. |
| Revoke a registration | Invalidates the registration's public key, blocking it from connecting. The registration record remains. | No | You want to temporarily block a device from connecting but preserve the registration record. |
| Delete a device | Removes the physical device record and all its associated registrations. | Yes | You want to fully remove a device and all associated registrations. |
Devices can have multiple device registrations. Deleting one registration does not affect other registrations on the same device.
To delete a device registration:
- In Cloudflare One ↗, go to Teams & Resources > Devices.
- Select the device > View details.
- Go to Users and mark the checkbox next to the device registration you want to delete.
- Select Action > Delete access.
To delete a single device registration using the API:
Required API token permissions
At least one of the following token permissions
is required:
Zero Trust Write
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/registrations/$REGISTRATION_ID" \ --request DELETE \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"To bulk delete multiple device registrations:
curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/device/registrations/registrations?id=reg_id_1&id=reg_id_2&id=reg_id_3" \ --request DELETE\ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"The device registration is now permanently deleted, and its virtual IP address is released back into the available pool for reassignment.
Revoking a device registration invalidates its associated public key, which disallows the specific device registration from connecting to Cloudflare's network. Revoking a device registration does not release the virtual IPs that are assigned to the registration. Because virtual IPs are a finite resource, Cloudflare strongly advises deleting a registration rather than revoking it.
- In Cloudflare One ↗, go to Teams & Resources > Devices.
- Select the device and select View details.
- To revoke access, select Revoke access. This revokes access for all associated registrations on the device.
- To unrevoke access, scroll down to the Users section and select one or more users using the checkbox. Select Actions > Unrevoke access.
Deleting a device removes the physical device from your Cloudflare Zero Trust account. This action automatically deletes all associated device registrations.
Devices that have zero active registrations (because all registrations were deleted) are hidden by default in Cloudflare One > Teams & Resources > Devices table. You may need to adjust the filter to view devices with zero device registrations.
To delete a device:
- In Cloudflare One > Teams & Resources > Devices.
- Select the device and select View details.
- Select Delete.
Seat management (billing) and access management are separate processes. Deleting a device registration does not free up the user's seat or block them from accessing internal resources. To fully remove a user's access, you must take additional steps as described below.
Deleting or revoking a registration will not be permanent if the user can re-authenticate. To prevent a user from re-authenticating and creating new device registrations, you must remove them from your device enrollment policies or from your Identity Provider (IdP).
- If your device enrollment policies allow a broad domain (for example,
@company.com), remove the user from your IdP. This prevents the user from authenticating through Access, effectively blocking them from enrolling devices. - If your device enrollment policies list specific user emails (for example,
sally@company.com), you must remove that specific email from your device enrollment policies. Additionally, you can add an explicit Exclude rule for that user to the policy.
After you have removed user access, to fully decommission a device, remove service token access, if any exists. Devices with existing registrations will remain connected to Cloudflare until those specific device registrations are manually deleted.
If you delete a service token's device registration, a new device registration for the service token will be automatically created without user interaction. For device registration deletion to be permanent, you must update your device enrollment policies to remove the service token.
To block a service token from re-authenticating, you must either:
- Delete the enrollment policy associated with the token, or modify the enrollment policy to no longer include the token (by removing its specific Include rule).
- (Optional) Delete the service token.
You cannot use this service token to create new registrations.
You cannot delete a service token while it is attached to a device enrollment policy. - Delete the service token device registration.
- (Optional) To fully decommission a device, remove user access, if any exists. Devices with existing registrations will remain connected to Cloudflare until those specific device registrations are manually deleted.
Deleting a device or a device registration does not affect seat usage. Seats are tied to the user identity, not to individual devices.
To stop a user from consuming a seat, you must remove the user from your Zero Trust Organization.
Removing a user from your Zero Trust Organization will free up the seat the user consumed. The user will still appear in your list of users.
To remove a user from your Zero Trust Organization:
- In Cloudflare One ↗, go to Team & Resources > Users.
- Select the checkbox next to a user with an Active status in the Seat usage column.
- Select Action > Remove users.
- Select Remove.
The user will now show as Inactive and will no longer occupy a seat. If a user is removed but authenticates later, they will consume a seat again. To prevent a user from authenticating, you must remove them from your device enrollment policies or from your Identity Provider (IdP).
To automate the removal of users who have not logged in or triggered a device enrollment in a specific amount of time, turn on seat expiration or utilize SCIM to remove users when they are deactivated in your identity provider.