Device registration adds a layer of protection against account takeovers and phishing attacks by requiring users to verify any new or unrecognized device before they can access their account. When someone signs in from an unfamiliar device, Dynamic detects it and prompts them to confirm ownership through a verification step — blocking unauthorized access even if credentials have been compromised or harvested through a phishing site.Documentation Index
Fetch the complete documentation index at: https://docs.dynamic.xyz/docs/llms.txt
Use this file to discover all available pages before exploring further.
Why this stops phishing
The verification email’s link can only redirect back to domains you’ve explicitly allow-listed for your environment (the same CORS allow-list Dynamic enforces for browser requests). A phishing site running on an attacker-controlled domain will not appear in that allow-list, so even if the attacker tricks the user into clicking the verification link, the redirect — and the resulting trusted-device session — cannot land on the phishing site. The attacker is left without a registered device, and the user’s account stays protected.Device registration is optional and disabled by default. Enable it from the Dynamic Dashboard when you’re ready to require device verification for your users. It is also gated by setting your minimum API version to
2026-04-01 — see the API version upgrade guide for details.How it works
Returning users on a new device
When an existing user signs in from a device they haven’t used before, the following happens:- Dynamic detects that the device is unrecognized
- The user receives an email with a verification link
- The user clicks the link to confirm they initiated the sign-in
- The device is registered as trusted and the user is granted full access
New users
For new users signing up for the first time, device registration happens automatically in the background. There is no additional verification step — the device they sign up from is trusted immediately, keeping the onboarding experience frictionless.Verification methods
Dynamic uses different approaches to identify trusted devices:- Cookie-based verification — when cookie-based authentication is enabled, Dynamic uses a secure cookie to identify trusted devices
- Public key-based verification — when cookies are not enabled, the device proves its identity cryptographically using a public key
Enabling device registration
Device registration is off by default. Enable it from the Dynamic Dashboard under your environment’s security settings when you’re ready to require device verification.Limitations
- In-app wallet browsers are not supported. Email verification links open in the device’s default browser, so users who initiate sign-in inside an in-app wallet browser (for example, MetaMask, Trust Wallet, Rainbow, or Coinbase Wallet) cannot complete verification and return to their original session. If your app targets these surfaces, leave device registration disabled.
SDK guides
For implementation details, see the guide for your SDK:- React SDK — Automatic UI or headless integration
- React Native SDK — Automatic UI or headless integration for mobile
- JavaScript SDK — Headless integration with full control over the UI and flow
- Flutter SDK — Automatic UI or headless integration for Flutter apps
- Swift SDK — Automatic UI or headless integration for iOS
- Kotlin SDK — Automatic UI or headless integration for Android
Next steps
- API version upgrade overview — What 2026-04-01 enforces
- Security overview — Dynamic’s broader security posture
- Recommended security practices — Full checklist of security measures for your app
- MFA — Add multi-factor authentication as an additional layer of protection