MATIH Platform is in active MVP development. Documentation reflects current implementation status.
6. Identity & Access Management
API Reference
Device Endpoints

Device Endpoints

The device management endpoints handle device fingerprinting, trusted device management, and device blocking. All endpoints require authentication. Served by DeviceController at /api/v1/devices.

Endpoints

MethodEndpointDescription
GET/api/v1/devicesList all devices
GET/api/v1/devices/trustedList trusted devices
POST/api/v1/devices/registerRegister or update device fingerprint
POST/api/v1/devices/:deviceId/trustMark device as trusted
DELETE/api/v1/devices/:deviceId/trustRemove trust from device
PUT/api/v1/devices/:deviceId/nameRename a device
POST/api/v1/devices/:deviceId/blockBlock a device
DELETE/api/v1/devices/:deviceId/blockUnblock a device
DELETE/api/v1/devices/:deviceIdRemove a device
DELETE/api/v1/devices/trusted/allUntrust all devices

POST /api/v1/devices/register

Registers or updates a device fingerprint. The client IP and User-Agent are captured automatically from the request.

{
  "fingerprint": "a1b2c3d4e5f6...",
  "deviceName": "Work Laptop",
  "deviceType": "desktop",
  "browser": "Chrome",
  "browserVersion": "120.0",
  "os": "macOS",
  "osVersion": "14.2"
}

DeviceResponse Structure

{
  "id": 42,
  "deviceName": "Work Laptop",
  "deviceType": "desktop",
  "browser": "Chrome",
  "browserVersion": "120.0",
  "os": "macOS",
  "osVersion": "14.2",
  "trusted": true,
  "trustedAt": "2026-02-01T10:00:00Z",
  "blocked": false,
  "lastIpAddress": "192.168.1.100",
  "lastSeenAt": "2026-02-12T14:30:00Z",
  "useCount": 47,
  "createdAt": "2026-01-15T08:00:00Z"
}

Trust Management

Trusted devices may bypass MFA challenges based on the tenant security policy. There is a configurable maximum number of trusted devices per user.

EndpointEffect
POST /api/v1/devices/:deviceId/trustMarks device as trusted (returns 400 if max reached)
DELETE /api/v1/devices/:deviceId/trustRemoves trust (MFA required on next login)
DELETE /api/v1/devices/trusted/allUntrusts all devices, returns {"untrusted": count}

Device Blocking

Blocked devices are denied authentication attempts entirely, regardless of valid credentials.

EndpointEffect
POST /api/v1/devices/:deviceId/blockBlocks device (optional reason in body)
DELETE /api/v1/devices/:deviceId/blockUnblocks device
Session EndpointsOAuth2 Endpoints