bitwarden/server
Device
A registered client device. Defined at src/Core/Entities/Device.cs and persisted to dbo.Device. Devices are the targets of push notifications and the carriers of trusted-device-encryption keys.
Important columns
| Column | Notes |
|---|---|
Id (Guid), UserId |
Identity. |
Name |
Free-form display label. |
Type |
DeviceType enum (Android, iOS, ChromeExtension, WindowsDesktop, MacOsDesktop, LinuxDesktop, FirefoxBrowser, OperaBrowser, EdgeBrowser, WindowsCLI, MacOsCLI, LinuxCLI, Server, WindowsConnector, MacOsConnector, LinuxConnector, iOSBrowser, AndroidBrowser, …). |
Identifier |
Client-provided unique identifier (used for "trust this device" lookups). |
PushToken |
APNs / FCM / WNS token used by IPushRegistrationService. |
EncryptedUserKey |
TDE: user key encrypted with the device's public key. |
EncryptedPublicKey, EncryptedPrivateKey |
TDE: per-device key pair, both encrypted under the user key (so a user can rotate keys for all their devices in one go). |
Active |
Whether the device should still receive push notifications. |
LastActivityDate |
Updated on every token refresh / login from this device. |
CreationDate, RevisionDate |
Audit timestamps. |
How it's used
- Push —
IPushRegistrationService.CreateOrUpdateRegistrationAsyncwrites thePushTokento ANH or the local registration store. - TDE — for SSO-only orgs that don't want a master password, devices hold the wrapped user key. See features/auth.
- Login With Device —
AuthRequestrows reference a Device id to know whose push to fire. - Trust — when a new device first authenticates, a Quartz job emails the user a "new device" notice.
Pruning
Stale devices are cleaned up by Quartz job logic in src/Api/Jobs/ (account-revision-date-driven) and on explicit user logout.
Where it shows up
- auth — TDE + login-with-device.
- systems/push-and-signalr.
- api/internal-api —
DevicesController.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.