Appearance
Operations: Disconnect a device
For user-facing disconnect, see Devices / Disconnect / unlink. This page covers the admin/operator perspective.
When an admin disconnects a Device
Common scenarios:
- Lost or stolen Device. User reports it; admin revokes immediately so the Device cannot reach the bus.
- Compromised credential. A Device's NATS user JWT may have leaked; revoke that link.
- Account suspension. A principal is being suspended; revoke every Host Link they own.
- Service-level cleanup. Old test Devices left over.
Direct revoke
bash
# By Host Link id
matrix invoke system.auth auth.hostLink.revoke \
'{"hostLinkId":"<id>"}'
# By host id (the install identity)
matrix invoke system.auth auth.hostLink.revoke \
'{"hostId":"<install-id>","principalId":"p_xxx"}'The op (system-auth/src/index.ts:790-803) flips status to revoked, sets revokedAt, and triggers NATS user public-key revocation through the account JWT. The NATS hub reloads.
Verifying the revoke took effect
bash
matrix invoke system.auth auth.hostLink.get '{"hostLinkId":"<id>"}'
# Should show status: 'revoked', revokedAt: <ts>.
matrix invoke system.devices devices.list \
'{"principalId":"p_xxx","includeRevoked":true}'
# Should include the row with status: 'revoked'.
# On the (former) Device, attempt a heartbeat:
# Expect 401 Unauthorized.
# Attempt a NATS connection: expect auth failure.Bulk revoke for a principal
When suspending a principal, revoke every Host Link they own:
bash
matrix invoke system.auth auth.hostLink.list \
'{"principalId":"p_xxx"}' | jq -r '.hostLinks[].id' | \
while read id; do
matrix invoke system.auth auth.hostLink.revoke "{\"hostLinkId\":\"$id\"}"
doneEach revoke triggers a NATS hub reload — under fleet pressure, this is slow. A bulk-revoke op is target state.
Authorization
Per HIVECAST-DEVICE-ENROLLMENT-SPEC.md, Host Link revoke is authenticated and principal-bound:
- The HTTP path
POST /api/devices/:deviceId/revokerequires a session for the link's principal. - The CLI path requires the calling identity to match the link's principal — or be a local-client (loopback) identity.
For an admin acting on a user's behalf today, the loopback identity on the platform Host is the only path. Target state: an admin: true flag on principals plus an op-level scope.
What revoke does NOT do
Per Devices / Disconnect / unlink:
- Does not delete local data on the Device.
- Does not stop local apps on the Device.
- Does not affect other Devices.
- Does not unclaim namespace.
Re-pairing after admin revoke
A revoked Device can be re-paired by the user (creating a fresh Host Link). The old revoked record stays in storage for audit.
What to log when admin-revoking
Until structured audit ships, manually note:
- Reason for revoke (lost, compromised, suspended, cleanup).
- Time, who initiated.
- Whether the user was notified.
- The
hostLinkIdandprincipalId.
A target audit pipeline auto-records all of this.
See also
- Devices / Disconnect / unlink — user-facing flow.
- Operations: Pair a device — the inverse.
- Operations: Resolve incident — when revoke is part of incident response.
Source:
projects/matrix-3/packages/system-auth/src/index.ts:790-803for the op.