ondevice.io documentation > Basics > Auth Keys

Auth Keys

Auth keys form the permission model of ondevice. You can manage your keys in your control panel

You need to call ondevice login with one of those keys on each system you want to use with your ondevice account.

For personal use, a single full key is probably enough.

For more complex setups, we recommend a single device key (or one per group of devices) and distinct client, full or custom keys for each end user (or maintenance script) working with your devices.

ondevice.io tracks usage stats for each individual key. Using more keys gives you more details on how each of them is being used.

Roles

We provide roles that each come with their own set of permissions (for details see the matrix below)

full: has access to the whole account. Most useful for smaller setups (e.g. your personal ondevice.io account)
client: read-only access to your account
- can list devices (ondevice list)
- can connect to them (ondevice ssh, ondevice rsync, …)
- can get device properties (ondevice device $devId list)
- cannot set device properties
- cannot run ondevice daemon
device: can only run ondevice daemon
- cannot list other devices or connect to them
- can be considered insensitive (since they only allow passive access)
disabled: Disables the given auth key.
Note that once a key has been deleted, all systems using it lose access to your account (and you might lose access to them).
Disabling keys before you delete them helps you minimize that risk (and have a look at auth key usage stats in your control panel)
custom: Allows you to configure each permission individually.

Permission Matrix

Roles				Permissions
`full`	`client`	`device`	`disabled`
				`device` Allows the client to run `ondevice daemon`
				`connect` can run `ondevice ssh` etc. to connect to your devices
				`get_properties` has read access to device permissions
				`list_devices` can list devices
				`set_properties` can set/remove device properties
				`manage_devices` can rename and delete devices

Note: There’s also the deprecated manager role which is similar to the new full role but lacks the device permission. This role will be removed soon and keys using it migrated.