Skip to content

Pairing more devices

Each device you pair gets its own Curve25519 keypair and a copy of the master key, wrapped so only that device can unwrap it. The server forwards pairing messages but never sees the master key.

You need one device already signed in to authorize the new one. Pair codes expire after 5 minutes (PAIR_CODE_TTL_MS on the server).

  1. Open Settings → Devices.
  2. Click Pair a device. A QR code and a 6-word code appear (the words are the manual fallback).
  3. When the new device scans it, a 6-digit verification code appears here.
  4. Confirm the code matches the new device, then click Approve & pair. Leave this screen open and online until pairing completes — it delivers the wrapped master key.

The existing device must stay online to seal and deliver the master key after you approve.

  1. Open the SyncBins app and tap Scan QR to pair.
  2. Grant camera access and point it at the QR code.
  3. Check the 6-digit verification code matches the one on the signed-in device, then approve there.
  4. Name the device. It unlocks once the master key arrives.

No camera? Tap use passphrase instead, or type the 6-word code.

The new device:

  1. Fetches the ephemeral public key from the server using the code.
  2. Generates its own keypair and sends its public key plus an HMAC attestation (proves it read the code out-of-band).
  3. Shows a verification code derived from both public keys; you confirm it matches and approve on the existing device.
  4. Receives the master key sealed to its public key, then downloads and decrypts items as the sync cursor catches up.

Handshake details: How encryption works → Pairing.

  • Future items — immediate real-time fanout over WebSocket.
  • Past items — when a paired device comes online, it runs a re-wrap pass: any item this device can already decrypt gets updated with wrapped keys for devices that were missing. Items nobody can decrypt (e.g. written on a revoked device only) are skipped.

So a newly paired laptop should receive your history within a few minutes of the first online session, not only new drops.

Settings → Devices lists every paired device: name, glyph, paired date, last seen, online/offline.

ActionEffect
RenameClick the device name (not available for the current device label).
RevokeInvalidates that device’s session token immediately. It stops receiving new items. Cannot revoke This device from itself — use another device.
This deviceThe browser you’re in now; revoke it from elsewhere.

Revocation does not remotely wipe items already downloaded on that device.

The @syncbins/mcp CLI uses the same six-word handshake. See MCP server → Install & pair.

ProblemWhat to do
Code expiredGenerate a new code on the existing device.
Attestation invalidWrong word order or typo — re-enter all six words.
Waiting for existing deviceKeep the device that generated the code signed in with an active session.
Items unreadable on new deviceWait for re-wrap to finish; pull to refresh. Items created before any surviving decryptor existed may remain inaccessible.
Verification codes don’t matchReject and start over — a mismatch means the device that scanned isn’t the one you expect.
QR won’t scanCheck camera permission, lighting, and that the code hasn’t expired (5 min). Fall back to typing the six words.