CodeBeamOrg
diff --git a/‎docs/.gitkeep‎
Lines changed: 0 additions & 1 deletion b/‎docs/.gitkeep‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎docs/content/auth-flows/device-management.md‎
Lines changed: 159 additions & 0 deletions b/‎docs/content/auth-flows/device-management.md‎
Lines changed: 159 additions & 0 deletions
diff --git a/‎docs/content/auth-flows/index.md‎
Lines changed: 136 additions & 0 deletions b/‎docs/content/auth-flows/index.md‎
Lines changed: 136 additions & 0 deletions
@@ -0,0 +1,159 @@
+# 📱 Device Management
+
+In UltimateAuth, devices are not an afterthought.
+
+👉 They are a **first-class concept**
+
+## 🧠 Why Device Matters
+
+Most authentication systems ignore devices.
+
+- A user logs in  
+- A token is issued  
+- Everything is treated the same
+
+👉 This breaks down when you need:
+
+- Multi-device control  
+- Session visibility  
+- Security enforcement  
+
+👉 UltimateAuth solves this with **device-aware authentication**
+
+## 🧩 Core Concept: Chain = Device
+
+In UltimateAuth:
+
+👉 A **SessionChain represents a device**
+
+```
+Device → Chain → Sessions
+```
+
+Each chain:
+
+- Is bound to a device  
+- Groups sessions  
+- Tracks activity  
+
+👉 A device is not inferred — it is explicitly modeled
+
+## 🔗 What Defines a Device?
+
+A chain includes:
+
+- DeviceId  
+- Platform (web, mobile, etc.)  
+- Operating System  
+- Browser  
+- IP (optional binding)  
+
+👉 This forms a **device fingerprint**
+
+## 🔄 Device Lifecycle
+
+### 1️⃣ First Login
+
+- New device detected  
+- New chain is created
+
+### 2️⃣ Subsequent Logins
+
+- Same device → reuse chain  
+- New device → new chain  
+
+👉 Device continuity is preserved
+
+### 3️⃣ Activity (Touch)
+
+- Chain `LastSeenAt` updated  
+- `TouchCount` increases  
+
+👉 Tracks real usage
+
+### 4️⃣ Token Rotation
+
+- Session changes  
+- Chain remains  
+- `RotationCount` increases  
+
+👉 Device identity stays stable
+
+### 5️⃣ Logout
+
+- Session removed  
+- Chain remains  
+
+👉 Device still trusted
+
+### 6️⃣ Revoke
+
+- Chain invalidated  
+- All sessions removed  
+
+👉 Device trust is reset
+
+<br>
+
+## 🔐 Security Model
+
+### 🔗 Device Binding
+
+Sessions and tokens are tied to:
+
+- Chain  
+- Device context  
+
+👉 Prevents cross-device reuse
+
+### 🔁 Rotation Tracking
+
+Chains track:
+
+- RotationCount  
+- TouchCount
+
+👉 Enables anomaly detection
+
+### 🚨 Revoke Cascade
+
+If a device is compromised:
+
+- Entire chain can be revoked  
+- All sessions invalidated  
+
+👉 Immediate containment
+
+<br>
+
+## ⚙️ Configuration
+
+Device behavior is configurable via session options:
+
+- Max chains per user  
+- Max sessions per chain  
+- Platform-based limits  
+- Device mismatch behavior
+
+👉 Fine-grained control for enterprise scenarios
+
+<br>
+
+## 🧠 Mental Model
+
+If you remember one thing:
+
+👉 Device = Chain  
+👉 Not just metadata
+
+## 📌 Key Takeaways
+
+- Devices are explicitly modeled  
+- Each device has its own chain  
+- Sessions belong to chains  
+- Security is enforced per device  
+- Logout and revoke operate on device scope
+
+## ➡️ Next Step
+
+Continue to **Configuration & Extensibility**
@@ -0,0 +1,136 @@
+# 🔐 Auth Flows
+
+Authentication in UltimateAuth is not a single operation.
+
+👉 It is a **flow-driven system**.
+
+<br>
+
+## 🧠 What is an Auth Flow?
+An auth flow represents a complete authentication operation, such as:
+
+- Logging in  
+- Refreshing a session  
+- Logging out  
+
+Each flow:
+
+- Has a defined lifecycle  
+- Runs through the orchestration pipeline  
+- Produces a controlled authentication outcome  
+
+👉 Instead of calling isolated APIs, you execute **flows**.
+
+## 🔄 Why Flow-Based?
+Traditional systems treat authentication as:
+
+- A login endpoint  
+- A token generator  
+- A cookie setter  
+
+👉 These approaches often lead to fragmented logic.
+
+UltimateAuth solves this by:
+- Structuring authentication as flows  
+- Enforcing a consistent execution model  
+- Centralizing security decisions  
+
+<br>
+
+## 🧩 What Happens During a Flow?
+Every flow follows the same pattern:
+```
+Flow → Context → Orchestrator → Authority → Result
+```
+
+- The **flow** defines the intent  
+- The **context** carries state  
+- The **orchestrator** coordinates execution  
+- The **authority** enforces rules  
+
+👉 This ensures consistent and secure behavior across all operations.
+
+<br>
+
+## 🔐 Types of Flows
+UltimateAuth provides built-in flows for common scenarios:
+
+### 🔑 Login Flow
+Establishes authentication by:
+
+- Validating credentials  
+- Creating session hierarchy (root, chain, session)  
+- Issuing tokens if required  
+
+👉 [Learn more](./login-flow.md)
+
+### 🔄 Refresh Flow
+Extends an existing session:
+
+- Rotates refresh tokens  
+- Maintains session continuity  
+- Applies sliding expiration  
+
+👉 [Learn more](./refresh-flow.md)
+
+### 🚪 Logout Flow
+Terminates authentication:
+
+- Revokes session(s)  
+- Invalidates tokens  
+- Supports device-level or global logout  
+
+👉 [Learn more](./logout-flow.md)
+
+<br>
+
+## 🧠 Supporting Concepts
+These flows operate on top of deeper system models:
+
+### 🧬 Session Lifecycle
+
+- Root → Chain → Session hierarchy  
+- Device-aware session structure  
+- Lifecycle management and revocation  
+
+👉 [Learn more](./session-lifecycle.md)
+
+### 🎟 Token Behavior
+
+- Access token vs refresh token  
+- Opaque vs JWT  
+- Mode-dependent behavior  
+
+👉 [Learn more](./token-behavior.md)
+
+### 📱 Device Management
+
+- Device binding  
+- Multi-device sessions  
+- Security implications  
+
+👉 [Learn more](./device-management.md)
+
+<br>
+
+## 🧠 Mental Model
+
+If you remember one thing:
+
+👉 **Authentication is not a single step**  
+👉 **It is a controlled flow of state transitions**
+
+## 📌 Key Takeaways
+
+- Authentication is executed as flows  
+- Each flow follows a consistent pipeline  
+- Sessions and tokens are created as part of flows  
+- Security is enforced centrally  
+
+---
+
+## ➡️ Next Step
+
+Start with the most important flow:
+
+👉 Continue to **Login Flow**