Single-user deployment on a public TLS edge — only the operator (who holds the service token, attached as a Bearer on every client request) should onboard a device. Drop the auth exemption on /client/devices/register so anonymous callers get 401 instead of a working token; /client/devices/:id/status stays open since it is polled before the device token is issued. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| client | ||
| server | ||