The OS image you download from the UI has embedded credentials that allow the device to register to your application without user input on boot. You should keep your downloaded images private.
Why should images be kept private?
If devices with SD cards are shipped to end users, what is to stop them from reading the card?
We would like to provide an image download to end users so they can set up their own hardware.
Is that a bad idea?
From what I can see, that would allow an end user to register many many devices to your account, costing you money. It’s not impossible for someone to buy your product, and then do the same thing, it just adds a layer of “eh, screw it - too much hassle” to it.
We have a registration process that links devices to user accounts.
If that process doesn’t happen in say 14 days, we would use the API to delete the device.