Connect over Bluetooth (Chrome/Edge/Android) or Wi-Fi (iPhone & everything), prove the device is genuinely yours, then hand it Wi-Fi — without installing anything.
In plain terms: two different things have to be trustworthy. (1) This web page — it handles your Wi-Fi password, so it's locked down to make zero network requests (open DevTools → Network and you'll see nothing leaves your browser; the connect-src 'none' security policy enforces it). (2) The device — anyone nearby could run a fake "Cognitum" gadget, so before you hand it anything, Step 2 makes the device mathematically prove it's really yours.
Set up over Wi-Fi works on iPhone
Your browser can't talk to Bluetooth devices (that's normal on iPhone, iPad, and Firefox) — so set up directly over the Seed's own Wi-Fi instead. Same security checks, served straight from the device.
On this device, open Wi-Fi settings and join the network named Cognitum-XXXX — its name and password are on your Seed's label / QR sticker.
Your phone should pop the setup page open automatically. If not, open http://192.168.4.1 in your browser.
On that page: confirm the fingerprint, pick your home Wi-Fi, and claim the device — identical steps to the Bluetooth flow.
When it finishes, the Seed leaves its hotspot and joins your Wi-Fi. Rejoin your normal Wi-Fi here to manage it from anywhere.
Why not right here? To reach the Seed your phone must join its Wi-Fi, which means leaving your normal network — so the Seed serves its own setup page at 192.168.4.1. The fingerprint check and the sealed-to-the-device encryption are exactly the same as Bluetooth.
This page must be served over HTTPS. Open the deployed URL, don't double-click the file.
1. Connect to your Seed Disconnected
Power the Seed on (a USB charger is fine — it doesn't need your computer) and give it ~1 minute to start advertising over Bluetooth.
When the browser dialog opens, pick the device named cognitum_….
In plain terms: your laptop keeps its normal internet the whole time — Bluetooth is a separate radio. That's why this page can load and talk to the device at once (a Wi-Fi-hotspot approach would knock you offline). No cable, no certificate, no port confusion.
This asks the device to sign a random number that only the genuine Seed's private key can sign — then checks the result, and matches its fingerprint to the code printed on your device.
In plain terms: it's like checking ID. (a) The Seed shows its public key. (b) We send it a brand-new random number and ask it to "sign" it; only the real Seed holds the secret key that can produce a valid signature — a fake can't fake this. (c) We turn its public key into a short fingerprint and you check that it matches the code printed on your actual device. If a look-alike nearby tried to impersonate it, the fingerprint wouldn't match and the signature wouldn't check out.
This device's fingerprint:
—
Does this match the fingerprint printed on your Seed (or its QR sticker)?
3. Put it on Wi-Fi Not connected
So the Seed can reach the internet for updates. Only unlocked after the device is verified.
In plain terms: you pick your network and type the password. Before it leaves this page it's sealed (encrypted) to this specific device's key — so only your Seed can open it. Even the Bluetooth link and this page's host see only ciphertext, and connect-src 'none' still means the page can't send it anywhere else.
4. Claim it as yours Unclaimed
Bind this Seed to your account so only you can manage it remotely. Unlocks after Wi-Fi is up.
In plain terms: claiming tells the device who owns it. The owner id is sealed to the device's key just like the Wi-Fi password, and the device records the binding (in production it appends a signed entry to its witness chain and the cloud creates your private …seed.cognitum.one address). prototype uses a stand-in owner id; the real flow binds to your passkey login.
Activity
About this prototype
Static HTML plus one same-origin script. It uses
Web Bluetooth
to talk to the Seed's GATT service, the built-in
Web Crypto
(Ed25519) to verify identity, and a small bundled
tweetnacl
to seal Wi-Fi creds and the claim to the device's X25519 key (libsodium crypto_box_seal). That sealed-box code is validated byte-for-byte against the device's Rust implementation by an automated cross-check. Loading the script is allowed by script-src 'self'; egress is still blocked by connect-src 'none'. Demo mode generates real Ed25519 + X25519 keypairs in your browser, so both the verification AND the sealing math run for real with no hardware.