Hardware-backed registration
Feature availability
| Client modes | Zero Trust plans ↗ |
|---|---|
| All modes | All plans |
| System | Availability | Minimum WARP version |
|---|---|---|
| Windows | ✅ | 2026.6.0 |
| macOS | ✅ | 2026.6.0 |
| Linux | ✅ | 2026.6.0 |
| iOS | ❌ | N/A |
| Android | ❌ | N/A |
| ChromeOS | ❌ | N/A |
Hardware-backed registration binds a device registration to a non-exportable private key stored in device hardware. The Cloudflare One Client uses this key to prove that API requests originate from the device that created the registration.
By default, the Cloudflare One Client stores its API token in the device keystore. An attacker who extracts that token can replay it from another device. Hardware-backed registration protects against this token extraction by requiring every API request to be authenticated with a key that never leaves the device hardware.
Before you turn on hardware-backed registration, note the following:
- Re-registration is required. Turning the setting on or off invalidates the existing registration and forces affected devices to register again. The Cloudflare One Client does not migrate a registration between hardware-backed and standard registration.
- Configure it at the organization layer. Set
hardware_backed_registrationinorganization_configsso the setting applies consistently to every configuration for an organization. - Certificates expire. The hardware-backed certificate is valid for 90 days. A device that stays offline until the certificate expires — for example, during an extended vacation — must register again.
When hardware-backed registration is turned on, the Cloudflare One Client performs the following steps during device registration:
- The client generates a non-exportable key pair in a hardware security module on the device.
- The client creates a certificate signing request (CSR) for the key and sends it with the registration request.
- Cloudflare issues a client certificate for the key and returns it to the client.
- The client authenticates all subsequent API requests with mutual TLS (mTLS), signing the TLS handshake with the hardware-backed key.
Cloudflare validates each request against the certificate stored for the registration. Requests that do not present the matching certificate are rejected. Because the private key cannot leave the device, an extracted API token alone is not enough to make valid API requests from another device.
The client renews the certificate automatically before it expires, reusing the existing hardware-backed key so the registration is preserved.
Hardware-backed registration uses the security hardware available on each desktop platform:
| Operating system | Hardware |
|---|---|
| Windows | TPM 2.0 |
| macOS | Secure Enclave (T2 or Apple silicon) |
| Linux | TPM 2.0 |
Devices without a supported security module cannot complete a hardware-backed registration.
Hardware-backed registration is turned off by default. To turn it on, set the hardware_backed_registration parameter to true in the organization_configs layer of your MDM configuration.
The following example turns on hardware-backed registration for the example-team organization:
<dict> <key>organization_configs</key> <dict> <key>example-team</key> <dict> <key>hardware_backed_registration</key> <true/> </dict> </dict> <key>configs</key> <array> <dict> <key>organization</key> <string>example-team</string> </dict> </array></dict>Hardware-backed registration is available on Windows, macOS, and Linux only. Mobile platforms (iOS, Android, and ChromeOS) are not supported. The feature applies only to Zero Trust registrations that use an identity provider or a service token. Consumer registrations are not supported.