How device pairing works

Vibetight’s backend never connects to your machine. Every connection is initiated by the device. Pairing included.

What you do

Open the desktop app (or run the headless installer’s pair command). You’re shown a short claim code and a link to confirm it. Open the link, click confirm, done. The device receives its long-lived token and you don’t think about pairing again until you decide to revoke it.

Where the token lives

• Desktop: held in the OS keyring (macOS Keychain, GNOME Keyring / KWallet on Linux). Never touches disk in plaintext.
• Headless: stored in a sealed config file with restrictive file permissions, owned by the user the worker runs as.

On the backend, we only ever store a one-way hash of the token. We can verify a presented token, but we can’t recover the original: not for support, not for ourselves, not under any circumstance.

Revocation

If a device is lost, compromised, or just stale, revoke it from Settings → Devices. The next request that device makes is rejected, the local agent wipes its cache and stops trying, and any in-flight tasks land in Action Required for human triage.

Why this design

One direction of trust. The device holds the secret it needs to make outbound calls; the backend never needs an inbound path to your machine. No firewall rules, no exposed ports, no inbound webhook.

It’s also why pairing is a device action, not an account-level action. Each device is independently revocable, independently auditable, and independently scoped. You can pair one laptop and three cloud workers and they’re four distinct identities with four distinct trust scopes.