The code only references a role
Roles and policies are already delivered to the device — the code merely points at one of them. It is cryptographically bound to the device, the login attempt and the chosen level — it cannot be repurposed.
rights live on the device beforehand
Dual accountability
The server records each issuance: who, for which device, when, at what level. The device keeps its own hash-chained login journal — offline. The records correlate with each other.
server + device
Access lives in your SSO
Before issuing a code the server checks: may this engineer have this level on this device. An engineer offboarded or blocked in SSO gets no more codes, immediately.
issuance is a server decision
One platform with Tessera Access
Codes is enabled on the same open-source Tessera agent — nothing to reinstall on the devices. Shared roles, shared Tessera Control, shared audit journal.
the same agent on the device