Just Works: Default: Disallow "Just Works" BLE pairing for public-facing sessions. Only allow "Just Works" for LAN sessions
Out-of-Band (OOB): Require QR scan code with hardware specifications or unique PIN code
Pairing process must be explicitly initiated by the authenticated user
Use OAuth2.0 Bearer tokens or signed JWTs with preset expiration
Client tokens issued from vendor server must never be stored in plaintextÂ
Use refresh tokens via secure backend exchange, never exposed to front-end
Default session timeout: 15 minutes of inactivity
Max session duration: 1 hours
All tokens are invalidated on logout or device disconnectÂ
Use WebSocket keep-alives and disconnect on idle
Devices mapped to user hashed identity token
Session must validate device ownership and intent to share temporary access code or link
In Multi-user scenarios require explicit consent from all users before session ID can be created