← TinySync wiki Appendix · single-page reference Understand Integrate Decide
TinySync — Design Series

Drive as a Service:
Platform Integration Model

How TinySync Drive connects to an external ecosystem — mapping ecosystem identities to Drive devices, authorizing access through groups, and keeping the sync engine clean of application-level concerns.

Work in Progress Architecture Groups · Vaults · Devices Platform Service

01The Problem

TinySync is a file sync engine. It has its own identity primitives: devices and device tokens. Everything that reads or writes to a vault authenticates as a device. There are no users, sessions, or roles inside TinySync itself.

But Drive is deployed into other products — Scribe, a workspace platform, a developer tool. Those products have their own users, login flows, roles, and organization structures. When a user opens the Drive app on their laptop, something has to bridge the gap between "Alice logged in to Scribe" and "device dev_7a3b is authorized to read vault v_docs".

That bridge is what this document describes. The goal is to keep TinySync's sync engine simple and product-agnostic while giving ecosystems the control they need over who can access what.

Core principle
TinySync knows about devices, groups, and vaults. It does not know about users, login sessions, products, or organizations. All ecosystem-level logic lives outside TinySync, in the Platform Service.

02Six Elements

The integration model is built from six distinct concepts. Understanding what each one is — and what it deliberately is not — is the foundation for everything else.

Ecosystem
User
An identity in the external ecosystem (Scribe account, org member). TinySync does not know users exist.
TinySync
Device
A logged-in session of a user on a physical machine. TinySync's atomic identity unit. One device token per session.
TinySync
Group
An opaque set of devices in TinySync. No user semantics. Authorization is granted to groups, not to devices directly.
TinySync
Vault
A storage namespace — a root of the synced file tree. Access is granted at the group level. One vault per "shared drive".
TinySync
Container
A tagged view inside a vault. Carries product namespace and access policies. Orthogonal to groups and authorization.
Platform Layer
Platform Service
The translation layer between ecosystem events and TinySync operations. Owns the user → devices mapping.
Element boundaries
graph LR subgraph Ecosystem["Ecosystem (e.g. Scribe)"] U[User] end subgraph PlatformSvc["Platform Service"] PS[Platform Service\nuser → devices mapping] end subgraph TinySync["TinySync"] D[Device] G[Group] V[Vault] C[Container] end U -- "login / logout" --> PS PS -- "register / revoke device" --> D PS -- "add / remove from group" --> G D -- "member of" --> G G -- "access to" --> V V -- "contains" --> C

The key boundary: everything left of TinySync is the ecosystem's responsibility. TinySync never reads ecosystem user records, session tokens, or role assignments. It only sees device IDs and group memberships — both of which are managed for it by the Platform Service.

03Identity Model

TinySync's identity unit is the device. A device is not a machine — it is a logged-in session of a specific user on a specific machine. The same laptop has two different device identities if two different users log in on it.

Device token format

Device tokens are custom bearer tokens, not JWTs. Each token encodes its device ID and a random secret:

tsdev_{device_id}_{secret}

device_id  — opaque identifier, assigned at registration
secret     — 32 random bytes, base64url-encoded

The server stores only the SHA-256 hash of the secret (with a domain separator). The raw token never persists on the server side. This means a device token cannot be recovered after issuance — only revoked.

One token per session

There is exactly one device token per (user × physical device) pair. If Alice logs in on her MacBook, the Platform Service registers a device and issues one token. That token lives on Alice's MacBook. It is not shared with Bob's MacBook, even if both are in the same group.

Why this matters
A single compromised token can be revoked (by revoking that device) without affecting any other device in the group. Revocation is surgical, not sweeping.

Who knows about users?

TinySync does not. The Platform Service maintains the user_id → [device_ids] mapping. When an ecosystem event arrives (user added to workspace, user promoted to admin), the Platform Service translates it into device operations and calls the TinySync API.

Concern Lives in TinySync knows?
User identity Ecosystem + Platform Service No
User → Devices mapping Platform Service No
Device identity TinySync Yes (it's the primary key)
Device → Groups TinySync Yes
Group → Vaults TinySync Yes

04Group-Based Authorization

In TinySync, access to a vault is granted at the group level — never directly to individual devices. A device gets access to a vault by virtue of being a member of a group that has access to that vault.

Authorization chain
graph LR D1[Device A] --> G1[Group: Acme Workspace] D2[Device B] --> G1 D3[Device C] --> G1 G1 --> V1[Vault: acme-docs] G1 --> V2[Vault: acme-projects]

Why groups, not direct device authorization?

Consider a workspace with 50 users each with 2 devices (100 devices) accessing 20 vaults. Without groups, adding a new vault requires 100 authorization records. Adding a new device requires 20. With group-based auth, adding a vault is one group-vault edge. Adding a device is one device-group edge. Neither requires touching the other.

Key invariant
Adding a vault to a group never requires re-provisioning device tokens. Adding a device to a group never requires re-provisioning vault access records. The two operations are fully decoupled.

Group membership is opaque to TinySync

TinySync stores group IDs as opaque identifiers. It does not know what a group "means" in the ecosystem — whether it maps to a team, an organization, a billing tier, or a product subscription. That interpretation lives entirely in the Platform Service. TinySync only answers: "is device X a member of a group that has access to vault Y?"

Authorization at request time

TinySync resolves authorization lazily, at each request. When a device presents a token and requests access to a vault, the server checks: is this device in a group that has access to this vault? If yes, the request proceeds. There is no pre-computed access matrix that needs to be kept in sync.

05Multi-Group Access

A device can belong to multiple groups. A vault can belong to multiple groups. This is a deliberate design choice that enables complex organizational structures without requiring TinySync to understand them.

Multi-group access example
graph LR D1[Alice's MacBook] --> G1[Group: Acme All-Access] D1 --> G2[Group: Acme Engineering] D2[Bob's MacBook] --> G1 D3[Carol's MacBook] --> G2 G1 --> V1[Vault: acme-company-drive] G2 --> V1 G2 --> V2[Vault: acme-eng-private]

In this example: Alice's MacBook is in both groups and can reach both vaults. Carol's MacBook is only in the Engineering group and can reach both vaults her group has access to. Bob's MacBook is only in the All-Access group and can reach only the company drive.

Access is the union of all group memberships

If a device belongs to groups G1 and G2, its effective vault access is the union of vaults accessible via G1 and vaults accessible via G2. There is no "deny" — group membership is purely additive. Access restriction is achieved by keeping a device out of a group, not by adding a deny rule.

Design implication
There is no concept of "override" or "deny" in this model. If you want to restrict a device to a subset of vaults, design your groups to only grant the vaults that device should see. Don't add it to a group it shouldn't be in.

Practical patterns

Ecosystem conceptMapped as
Organization-wide Drive One group containing all org members' devices, one vault
Team-specific Drive One group per team, one vault per team; devices in team group
Cross-team shared vault Vault accessible by multiple groups; each team group gets the edge
Personal Drive One group per user containing all their devices, one personal vault
Admin full access Admin devices added to all relevant groups, or a special admin group with all vault edges

06Containers

A container is a tagged view inside a vault. Containers carry product namespace and policy information — they are how different consuming products carve out their space within a shared vault without interfering with each other.

What containers are for

Imagine Scribe and Drive both use the same vault for an organization. Scribe might store document attachments; Drive stores the full file tree. Containers let them tag their items differently and apply different access policies without requiring separate vaults per product.

Relationship to groups
Container policies and group membership are orthogonal. A container policy describes what can be done to items inside it. Group membership describes who can reach the vault at all. Authorization (who) is via groups; namespace and policy (what) is via containers.

Container ↔ Group: no direct relationship

This is a deliberate choice. A device authorized to a vault (via a group) can read any container in that vault — unless container-level access controls are added separately. The primary access gate is the group. Containers add a layer of namespace and policy on top, not a separate authorization layer.

Vault, container, and group relationships
graph TB G[Group] -- "grants access to" --> V[Vault] V -- "contains" --> C1[Container: scribe/*] V -- "contains" --> C2[Container: drive/*] V -- "contains" --> C3[Container: assets/*] C1 -- "policy: readonly for non-owners" --> C1 C2 -- "policy: full sync" --> C2

07Platform Service

The Platform Service is the translation layer between the external ecosystem and TinySync. It is not part of TinySync — it is a service that the ecosystem operator builds and runs, which speaks to TinySync's management API.

What the Platform Service owns

  • The user → devices mapping (which devices belong to which user)
  • The device registration lifecycle (when to create a device, when to revoke it)
  • The group management logic (when to add a device to a group, when to remove it)
  • Translation from ecosystem events to TinySync API calls

What the Platform Service does not own

  • It does not decide whether a sync succeeds or fails — that's TinySync's job
  • It does not manage file contents or metadata — that's the vault
  • It does not run on the client device — it's a server-side service
Platform service event flow
sequenceDiagram participant Eco as Ecosystem participant PS as Platform Service participant TS as TinySync API Eco->>PS: user.joined_workspace(user_id, workspace_id) PS->>PS: lookup user's devices PS->>TS: POST /groups/{group_id}/devices/{device_id} TS-->>PS: 200 OK Eco->>PS: workspace.vault_added(workspace_id, vault_id) PS->>PS: lookup workspace group PS->>TS: POST /groups/{group_id}/vaults/{vault_id} TS-->>PS: 200 OK Eco->>PS: user.left_workspace(user_id, workspace_id) PS->>PS: lookup user's devices, workspace group PS->>TS: DELETE /groups/{group_id}/devices/{device_id} TS-->>PS: 200 OK

Platform Service is ecosystem-specific

Each ecosystem that embeds Drive builds its own Platform Service. The service shape is consistent (it talks to TinySync's management API), but the event sources and business logic are ecosystem-specific. A Scribe integration listens to Scribe events; a different product integration listens to its own events.

Design advantage
TinySync's sync engine is never modified per-ecosystem. All ecosystem-specific logic is pushed into the Platform Service. This means TinySync can serve multiple ecosystems simultaneously without any per-tenant code.

08Integration Lifecycle

The lifecycle covers the key moments in a device's relationship with a vault: registration, group assignment, active sync, and revocation.

Device registration

A device is registered when a user sets up Drive on a specific machine. This is not the same as a user logging in to the ecosystem — a login might create a session, but a Drive device is only registered when the user explicitly activates the Drive app on that device.

Device registration flow
sequenceDiagram participant App as Drive App (client) participant PS as Platform Service participant TS as TinySync App->>PS: "Set up Drive" (user auth token) PS->>PS: verify user identity, generate device_id PS->>TS: POST /devices (device_id, metadata) TS-->>PS: device token (tsdev_...) PS->>PS: add device to user's groups PS-->>App: device token App->>App: persist token locally App->>TS: first sync (using device token)

Group assignment

Once a device is registered, the Platform Service determines which groups it should belong to — based on the user's membership in the ecosystem (teams, org, subscription tier). Group assignment happens immediately after registration and is updated whenever the user's ecosystem memberships change.

Active sync lifecycle

During normal operation, the device uses its token to communicate directly with TinySync. The Platform Service is not involved in individual sync operations — its job is to keep group membership current as ecosystem state changes.

Revocation

A device is revoked in TinySync when any of these occur:

  • User explicitly disconnects Drive on that device (uninstall, sign out of Drive)
  • User loses access to the ecosystem (account deleted, subscription ended)
  • Admin revokes the device for security reasons

Revocation deletes the device's token hash from TinySync. The device token immediately stops working. It cannot be recovered — the device must re-register to get a new token.

Logout vs revocation
Logging out of the ecosystem does not automatically revoke the Drive device token. A Drive session persists across ecosystem logins unless explicitly revoked. This is a deliberate choice — Drive is a local-first sync engine; files should remain available on the device even when the user is offline or not logged into the web app.

Re-registration

If a device is revoked and the user wants to re-enable Drive on the same machine, the Platform Service creates a new device registration. This issues a new device_id and a new token. The new device goes through group assignment again. The physical machine having had a prior device registered has no effect on the new registration.

09Token Management

Token management is the operational concern of keeping device tokens secure and current across the fleet of devices an ecosystem manages.

Token storage on the client

Device tokens are stored by the Drive app in the OS credential store (Keychain on macOS, Windows Credential Manager). They are not stored in plaintext. The token is the device's long-lived credential — losing it (or having it revoked) requires re-registration.

Token storage on the server

TinySync stores only the SHA-256 hash of the secret portion of each token, with a domain separator to prevent cross-purpose hash reuse. The raw token is never stored. Validation is: hash the presented secret, compare to stored hash.

stored_hash = SHA-256("tinysync-device-token:" + secret_bytes)

No token rotation in v1

Device tokens do not expire and are not rotated automatically. Revocation is the only way to invalidate a token. This keeps the implementation simple and avoids the complexity of refresh flows on a sync engine that must work offline.

Future consideration
Token rotation (issuing a new token periodically while the old one is still valid for a grace period) is a reasonable v2 addition for high-security deployments. It is out of scope for v1.

Group token? No.

There is no "group token" — a single credential that grants access to all vaults a group can reach. Each device has its own token. The group structure is a server-side authorization record, not a credential. This ensures that compromising one device never grants access to the group's vaults from a different device — the attacker also needs the group membership to be in place, which is managed server-side.

10Design Invariants

These are the properties the design is built to maintain. Violating any of them means rethinking the model, not finding a workaround.

TinySync has no user concept
No user table, no user ID in any TinySync API. All client identity is expressed as device IDs. If the design ever requires TinySync to know about users directly, that's a signal the boundary has been crossed incorrectly.
Authorization is resolved at request time, not pre-computed
There is no pre-built access matrix that has to be kept in sync. When a device makes a request, the server checks group membership in real time. This means group changes take effect immediately without any cache invalidation.
One token per (user × device) — never shared
Two users on the same machine get different device IDs and tokens. Sharing a token between devices is not supported. Revocation of one token never affects another device's ability to sync.
Adding group membership is additive and non-destructive
Adding a device to a group never revokes existing access or requires token changes. Removing a device from a group never affects the device's membership in other groups. Operations are independent.
The Platform Service is the only keeper of user → device mapping
No other system should maintain or cache this mapping authoritatively. If a Platform Service needs to query "which devices does this user have?", it queries its own store, not TinySync.
Container policy ≠ authorization
Containers are for namespace and policy, not for access control. Access gating is entirely the responsibility of the group → vault relationship. A device authorized to a vault can see all containers in it unless explicit container-level ACLs are layered on separately.

11Open Questions

⚠ This section captures unresolved design decisions. These need answers before the Platform Service can be specced in detail.
Open Question 1
What triggers Drive device registration? Does every ecosystem login automatically register a Drive device, or only when the user explicitly activates the Drive app on that device?
  • Explicit activation — user opens the Drive app and clicks "Set up Drive". Registration is intentional. Platform Service only acts when Drive setup occurs.
  • Automatic on login — any ecosystem login on a known device auto-registers a Drive device. Platform Service listens to user.login events.
  • Hybrid — auto-register for users with a Drive entitlement, manual setup for everyone else.
Open Question 2
What happens to the Drive device token on ecosystem logout?
  • Token is preserved — Drive continues syncing even when the user is logged out of the ecosystem. Re-login does not require re-registration. This is the local-first-friendly model.
  • Token is revoked on logout — Drive stops syncing when the user logs out. Logging back in triggers re-registration. Cleaner security model, worse offline experience.
  • Token is suspended (soft revoke) — sync pauses on logout, resumes on login without re-registration. Requires a "suspended" device state in TinySync (not currently in scope).
Open Question 3
Same device_id or new on re-registration? When a user re-registers Drive on the same physical machine (after revocation), does the Platform Service reuse the old device_id or generate a new one?
  • Always new device_id — simpler, no state to look up. Each registration is independent. Old sync history is not carried over.
  • Reuse device_id if same machine — Platform Service tracks machine fingerprint → device_id mapping. Allows history continuity but adds complexity to the Platform Service.
Open Question 4
Should TinySync groups have names or types? Right now groups are opaque IDs. Should TinySync store metadata (name, type, owning ecosystem) on groups to aid debugging and multi-ecosystem deployments?
  • Opaque IDs only — TinySync stores no group metadata. Debugging maps group IDs through the Platform Service. Simpler TinySync schema.
  • Name + ecosystem tag — TinySync stores a display name and the ecosystem that owns the group. Useful for admin dashboards and audit logs without exposing business logic to TinySync.