Pebble MobileDevice Management

Device Management

Every phone (and, in future, other device types) connected to your PebbleAI account is managed from one place: the Devices section of your web Settings page. This is where new devices are approved, and where you rename or revoke the ones you have. Revoking a device signs it out everywhere, immediately.

Where to find it

  1. Go to /user-profile?section=devices on your PebbleAI site to open your Settings page. On some deployments you can also click your avatar (top-right corner) and choose Update Profile — that menu item isn’t shown for SSO sign-ins or cloud-hosted deployments
  2. Pick Devices from the left-hand menu (“Connected apps and devices”)

The section is headed Devices, with the summary: “Apps and devices connected to your Pebble AI workspace. A new device must be approved here before it can connect; revoking a device signs it out everywhere.”

The Devices page with a paired Pebble Mobile device

If you haven’t connected anything yet, you’ll see: “No devices connected yet. Install the Pebble Mobile app and sign in to see it here.” — Getting Started covers pairing your first device.

The device list

Each device row shows:

ElementDetail
Type icon and labeliPhone, Android, Tablet, or Pebble Puck
NameThe device’s name — editable (see renaming below)
CaptionType and platform (model, OS, app version), plus Last seen — Never, Just now, minutes/hours/days ago, or a date
Status chipactive (green), pending (amber), revoked (row greyed out), or denied

The Last seen value is a quick health check — if a phone you use daily says it was last seen days ago, something’s wrong (or it’s in a drawer).

Approving and denying new devices

When a phone completes the pairing flow and you tap Allow on its consent page, it appears here with a pending chip and two icon buttons: a tick (Approve) and a cross (Deny).

  • Approve — the device connects and becomes active (“Device approved”)
  • Deny — a confirmation dialog explains “This pairing request will be rejected and the device cannot connect.” (“Device denied”)

Approval is deliberately web-only: a device holds no access at all until its owner approves it from a signed-in web session, and a device can never approve itself — even a device that’s already connected can’t approve another one. Pending requests are only valid for 15 minutes; after that the phone has to scan the QR code again.

Renaming a device

Active devices show a pencil icon (Rename). Click it and the name becomes editable inline — Enter saves, Escape cancels, and a “Device renamed” confirmation appears. Useful when “iPhone” isn’t enough to tell your devices apart.

Revoking a device

Active devices show a bin icon (Revoke). Clicking it opens a confirmation dialog: “The device is signed out immediately and must be re-authorized to reconnect.”

What revoking actually does:

  • The device’s stored credentials are invalidated immediately — it can no longer refresh its access
  • Any access token the device still holds dies within minutes (15 minutes at most on default settings)
  • To come back, the device has to go through the full pairing and approval flow again

Revoke a device the moment a phone is lost, stolen, sold, or handed back to IT. There’s no way for the device to quietly reconnect afterwards.

How device security works

A few properties of the Device Layer worth knowing, especially if you’re the one answering security questions:

  • Devices never hold your password. Pairing issues the device its own device-bound tokens — short-lived access tokens plus a rotating refresh token.
  • Refresh tokens are single-use. Each refresh rotates the token. If a stale refresh token is ever presented — the signature of a stolen token being replayed — PebbleAI treats it as theft and automatically revokes the device.
  • Device tokens never create a browser session. A paired phone can call the API as you, but its tokens are useless for signing in to the web. Web sign-in is unchanged.
  • Token lifetimes (15-minute access, 30-day refresh) are deployment defaults and can be tuned by your platform team.

For admins

Device permissions

Three organisation-scoped permissions govern devices:

PermissionLabelDefault grants
devices:viewView My Connected DevicesPlatform admin, org admin, and the default user role
devices:manageRename and Revoke My DevicesPlatform admin, org admin, and the default user role
devices:org-viewView All Organization DevicesPlatform admin and org admin only

In practice: ordinary users can pair, rename, and revoke their own devices out of the box — no admin action needed. Approving and denying pairing requests is owner-only regardless of role, and is rejected outright for calls made with a device token, so a device can never approve itself or another device.

devices:org-view is granted to admin roles, but the org-wide device dashboard it’s designed for hasn’t shipped yet — there is currently no admin UI listing every device in the organisation.

Roles and permissions are managed in Organisation Configuration.

The iOS and Android buttons in the Add a device dialog point wherever a Platform Admin configures. The controls live in the Mobile App tab (the last tab) of the platform settings page at /admin/platform/settings — it requires the platform:admin permission.

The Platform Admin Mobile App tab with install URL overrides

The tab’s guidance sums up the intent: “These links appear in the “Add a device” QR dialog (Account → Devices) so people can install Pebble Mobile. Leave a field blank to use the built-in App Store / Play Store default. Set the iOS field to a TestFlight invite link while the app is in beta, then clear it once the public App Store build is live.”

For each platform there’s a card showing:

  • iOS install URL — where iPhone and iPad users go to install Pebble Mobile; the App Store listing by default
  • Android install URL — where Android users go; the Google Play listing by default
  • The Default and Effective values, and an Override URL field (“Leave blank to use the default shown above.”)

Clear Overrides drops back to the built-in store defaults; Save Changes applies your overrides (“Pebble Mobile install links saved”). Resolution is simple: override if set, otherwise the built-in default.

For most deployments the defaults are all you need — they point at the public App Store and Google Play listings. Use the overrides only when you’re steering users to a different build, such as an internal-testing track.