Device Registration

Overview

Registration creates a cryptographic identity for a device. Each registered device receives:

•An Ed25519 keypair for signing operations
•A Decentralized Identifier (DID) derived from the public key
•A hardware fingerprint for physical device binding
•An initial trust score of 100

Register a device

const device = await sentinel.devices.register({
  name: 'unit-0042',
  model: 'forklift-v2',
  serialNumber: 'SN-2025-0042',
});

Response:

{
  "id": "clx1a2b3c...",
  "name": "unit-0042",
  "did": "did:sentinel:0x7f3a8b2c1d4e5f6a...",
  "publicKey": "-----BEGIN PUBLIC KEY-----...",
  "publicKeyHex": "0x4a8f3c2d...",
  "hardwareFingerprint": "0x8a3f7b2c...",
  "trustScore": 100,
  "status": "registered"
}

Serial number uniqueness

Serial numbers are unique across your fleet. Attempting to register a duplicate returns 409 Conflict.

Batch registration

For onboarding multiple devices:

const devices = await sentinel.devices.registerBatch([
  { name: 'unit-001', model: 'agv-v3', serialNumber: 'SN-001' },
  { name: 'unit-002', model: 'agv-v3', serialNumber: 'SN-002' },
  { name: 'unit-003', model: 'agv-v3', serialNumber: 'SN-003' },
]);

Each device receives an independent keypair. No shared secrets between devices.

Key management

Private keys are stored encrypted at rest. For production deployments, we recommend hardware-backed key storage:

| Platform | Method | |----------|--------| | Industrial x86 | TPM 2.0 | | ARM devices | Secure Enclave / TrustZone | | Intel systems | SGX (optional) |

With hardware attestation enabled, the private key never leaves the device's secure element.

Device lifecycle

registered → active → offline → decommissioned
                    → compromised

Status transitions are logged in the audit chain automatically.

Authentication Firmware Verification