# Key Concepts ## Device-bound access Traditional security asks: *who are you?* You prove it with a password. Peig asks: *which device is this?* The device proves it using a cryptographic key that is unique to that device and cannot be copied or transferred. When a user is onboarded to a Peig workspace, their device is registered and cryptographically bound to their identity. Every access request must come from that registered device. There is no password — the Peig app handles authentication silently in the background. ## The Peig workspace A **workspace** is the central environment that connects your users, their devices, and the services they are authorised to access. It sits between your users and your applications, acting as a **Policy Enforcement Point** — only allowing access from verified, registered devices. ``` Users & Devices → Peig Workspace (Policy Enforcement Point) → Your Applications ``` ## Workspace roles There are two admin roles in a Peig workspace: | Role | Responsibilities | | ---------------- | ----------------------------------------------------------- | | **Global Admin** | Configures which services are connected to the workspace | | **Access Admin** | Manages users, approves devices, and controls access rights | A single person can hold both roles. Access Admins receive email notifications for all workspace events — new device requests, access changes, and re-approval requests. ## How users get access Every user goes through an onboarding process before they can access anything. There are two flows: **Admin-initiated** — The Access Admin creates a user account, assigns access rights, and sends an invitation. The user downloads Peig and completes setup on their device. **User-initiated** — The user downloads Peig, enters the workspace name and their email, and submits a request. The Access Admin reviews and approves it. In both cases, the onboarding request is cryptographically bound to the user's device from the moment it is submitted. ## Access is per user, per device, per service Access to each connected service must be explicitly granted to each user. There is no "grant access to everything" option. Users only see the services they have been given access to — nothing else is visible to them. Individual devices can also be suspended independently — blocking access from a specific device without affecting the user's other registered devices or their account. ## Device sync and recovery **Adding a second device** — Users can register additional devices using the device sync flow. Both devices must be physically present. The user authorises the new device from the already-registered one. The Access Admin is notified immediately. **Lost device** — If a user loses all their devices, they initiate a re-approval request from their new device. The Access Admin verifies their identity and approves it. All previous device records are removed and access is re-established from the new device only. {% hint style="info" %} Want to understand the cryptography behind device binding? See [Cryptography and Protocol](/welcome-to-peig-documentation/security/cryptography-and-protocol.md). {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.peig.io/welcome-to-peig-documentation/what-is-peig/key-concepts.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.