Knogin
[Developers]

Device Domain

An investigator joins a new team and needs access to the platform on both her work laptop and her field mobile device. Both devices need to be registered, her push notifications need to route to the right device dependin

Back to All Modules
Category: Api DomainsLast Updated: Feb 5, 2026
api-domains

Overview#

An investigator joins a new team and needs access to the platform on both her work laptop and her field mobile device. Both devices need to be registered, her push notifications need to route to the right device depending on which she is currently using, and if her mobile is lost or stolen during a field operation, the device needs to be remotely deregistered without affecting her other sessions.

The Device domain handles all of that: enrollment, session tracking, push notification routing, security policy enforcement, and deregistration, as a unified device lifecycle management system.

Key Features#

  • Device registration and enrollment workflows.
  • Device-level session tracking and management.
  • Push notification token registration and lifecycle management.
  • Device security policy enforcement.
  • Multi-device support per user account.
  • Device activity logging and audit trail.
  • Device deregistration and wipe capabilities.
  • Platform-specific device management (iOS, Android, desktop).

Use Cases#

Field operatives register mobile devices for platform access, with push notifications routed to the device they are currently using rather than requiring manual notification preference management.

IT security teams enforce device-level security policies for access to sensitive investigation data, ensuring that only enrolled and compliant devices can access the platform from outside the corporate network.

Security administrators deregister lost or stolen devices immediately, terminating any active sessions on the affected device while preserving the user's access from their other enrolled devices.

Compliance teams review device activity logs for security monitoring, with the audit trail providing a complete record of which devices accessed the platform and when.

Integration#

Integrates with session management, push notification services, and audit logging for comprehensive device lifecycle management.

Open Standards#

  • GraphQL (June 2018 specification): the entire device lifecycle API, including device registration, querying, and mutation, is exposed exclusively through a GraphQL schema using typed queries and mutations.
  • JSON Web Token (RFC 7519) with RS256: every API call into the device domain is authenticated via a bearer JWT verified against a JWKS endpoint using RS256 asymmetric signatures; no device operation is permitted without a valid token.
  • Traffic Light Protocol (TLP, FIRST standard): each device record carries a secrecy_level field whose permitted values map directly to TLP_WHITE, TLP_GREEN, TLP_AMBER, and TLP_RED, controlling information sharing boundaries.
  • Apple Push Notification service (APNs): push notification routing to enrolled iOS devices is delivered via APNs token-based authentication, configured through standard APNs key credentials.
  • Firebase Cloud Messaging (FCM): push notification routing to enrolled Android devices is delivered via FCM, used strictly as a transport boundary and not for any runtime state storage.
  • Voluntary Application Server Identification for Web Push (RFC 8292 / VAPID): web-based device registrations supply a VAPID public key and encrypted p256dh/auth keys, conforming to the RFC 8292 voluntary application server identification scheme for Web Push.
  • UUID (RFC 4122): all device, session, and notification identifiers are version-4 universally unique identifiers generated in accordance with RFC 4122, ensuring globally unique records across tenants.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.