# Trusted sessions and devices Every time you access the Cerby platform, you are connecting from a device: the Cerby web app, browser extension, or mobile app. Trusted sessions and devices are the mechanism Cerby uses to verify that those connections come from authorized endpoints before granting access to your accounts, secrets, and vaults. Think of a trusted session as a handshake between you and Cerby. When you set up a trusted session on a device, Cerby registers that device as a known and authorized access point for your account. From that moment, interactions with the Cerby platform originating from that device are treated as verified. *** ## Why trusted sessions matter Trusted sessions add a meaningful layer of security on top of your login credentials. Even if someone obtains your password, they cannot access your Cerby workspace from an unregistered device. Each device must be explicitly verified before it can be used. For users working with local vaults, trusted sessions are especially critical. Local vaults store encryption keys on the device itself, meaning the trusted session is not just an access gate, it is also the holder of the cryptographic keys needed to decrypt your data. Without a trusted session on that device, the vault content is inaccessible, even to Cerby. *** ## How trusted sessions work Any of the three Cerby client apps can be registered as a trusted device: * The Cerby web app (each browser is treated as a separate device) * The Cerby browser extension (each browser installation is treated as a separate device) * The Cerby mobile app When you log in to Cerby for the first time on a new device, you are automatically prompted to set up a trusted session. The verification process confirms your identity using a code sent to your email, or by approving the session from a device you have already registered. Users can register up to 20 trusted devices. When that limit is reached, an existing device must be disabled before a new one can be added. *** ## What happens when a user leaves Trusted sessions are tied to individual user accounts. When a user is deprovisioned from a workspace, all of their registered trusted sessions and devices are automatically disabled. This ensures that former employees cannot retain access through previously trusted endpoints, even if they still have their physical device. Workspace **Admins** can view and manage trusted sessions for all users in the workspace from the Cerby web app. For more information, see the [Trusted sessions and devices](https://help.cerby.com/setup-and-admin/workspace-settings/trusted-devices) section. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.cerby.com/getting-started/concepts/credential-management/trusted-sessions-devices.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.