diff --git a/bubble-server/src/main/java/bubble/dao/account/TrustedClientDAO.java b/bubble-server/src/main/java/bubble/dao/account/TrustedClientDAO.java
index d5952988..22b11a9f 100644
--- a/bubble-server/src/main/java/bubble/dao/account/TrustedClientDAO.java
+++ b/bubble-server/src/main/java/bubble/dao/account/TrustedClientDAO.java
@@ -16,8 +16,8 @@ public class TrustedClientDAO extends AccountOwnedEntityDAO<TrustedClient> {
         return super.preCreate(trusted.setTrustId(randomUUID().toString()));
     }
 
-    @Override public TrustedClient postCreate(TrustedClient trusted, Object context) {
-        return super.postCreate(trusted, context);
+    public TrustedClient findByAccountAndDevice(String accountUuid, String deviceUuid) {
+        return findByUniqueFields("account", accountUuid, "device", deviceUuid);
     }
 
 }
diff --git a/bubble-server/src/main/java/bubble/dao/device/DeviceDAO.java b/bubble-server/src/main/java/bubble/dao/device/DeviceDAO.java
index 8d281305..3686a00c 100644
--- a/bubble-server/src/main/java/bubble/dao/device/DeviceDAO.java
+++ b/bubble-server/src/main/java/bubble/dao/device/DeviceDAO.java
@@ -67,7 +67,9 @@ public class DeviceDAO extends AccountOwnedEntityDAO<Device> {
 
     @Transactional
     @Override public Device create(@NonNull final Device device) {
-        if (isRawMode() || device.uninitialized()) return super.create(device);
+        if (isRawMode() || device.uninitialized() || device.getDeviceType().isNonVpnDevice()) {
+            return super.create(device);
+        }
 
         synchronized (createLock) {
             device.initDeviceType();
diff --git a/bubble-server/src/main/java/bubble/main/GenerateAlgoConfMain.java b/bubble-server/src/main/java/bubble/main/GenerateAlgoConfMain.java
index 2db167c9..190251cc 100644
--- a/bubble-server/src/main/java/bubble/main/GenerateAlgoConfMain.java
+++ b/bubble-server/src/main/java/bubble/main/GenerateAlgoConfMain.java
@@ -51,7 +51,7 @@ public class GenerateAlgoConfMain extends BaseMain<GenerateAlgoConfOptions> {
 
     private List<String> loadDevices() {
         try {
-            final String sqlResult = execScript("echo \"select uuid from device where enabled = TRUE\" | PGPASSWORD=\"$(cat /home/bubble/.BUBBLE_PG_PASSWORD)\" psql -U bubble -h 127.0.0.1 bubble -qt");
+            final String sqlResult = execScript("echo \"select uuid from device where enabled = TRUE and device_type != 'non_vpn'\" | PGPASSWORD=\"$(cat /home/bubble/.BUBBLE_PG_PASSWORD)\" psql -U bubble -h 127.0.0.1 bubble -qt");
             final List<String> deviceUuids = Arrays.stream(sqlResult.split("\n"))
                     .filter(device -> !empty(device))
                     .map(String::trim)
diff --git a/bubble-server/src/main/java/bubble/model/account/TrustedClient.java b/bubble-server/src/main/java/bubble/model/account/TrustedClient.java
index 3a72f756..51f4fb9f 100644
--- a/bubble-server/src/main/java/bubble/model/account/TrustedClient.java
+++ b/bubble-server/src/main/java/bubble/model/account/TrustedClient.java
@@ -5,6 +5,7 @@
 package bubble.model.account;
 
 
+import bubble.model.device.Device;
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import lombok.Getter;
 import lombok.NoArgsConstructor;
@@ -33,6 +34,11 @@ public class TrustedClient extends IdentifiableBase implements HasAccount {
     @Column(nullable=false, updatable=false, length=UUID_MAXLEN)
     @Getter @Setter private String account;
 
+    @ECSearchable @ECField(index=20)
+    @ECForeignKey(entity=Device.class)
+    @Column(nullable=false, updatable=false, length=UUID_MAXLEN)
+    @Getter @Setter private String device;
+
     @ECField(index=20)
     @Type(type=ENCRYPTED_STRING) @Column(updatable=false, columnDefinition="varchar("+(100+ENC_PAD)+") NOT NULL")
     @JsonIgnore @Getter @Setter private String trustId;
diff --git a/bubble-server/src/main/java/bubble/model/account/TrustedClientLoginRequest.java b/bubble-server/src/main/java/bubble/model/account/TrustedClientLoginRequest.java
index 4f84e4eb..79019cf4 100644
--- a/bubble-server/src/main/java/bubble/model/account/TrustedClientLoginRequest.java
+++ b/bubble-server/src/main/java/bubble/model/account/TrustedClientLoginRequest.java
@@ -31,6 +31,10 @@ public class TrustedClientLoginRequest {
     private String password;
     public boolean hasPassword () { return !empty(password); }
 
+    @HasValue(message="err.device.required")
+    @Getter @Setter private String device;
+    public boolean hasDevice () { return !empty(device); }
+
     // require timestamp to begin with a '1'.
     // note: this means this pattern will break on October 11, 2603
     private static final String TRUST_HASH_REGEX = "^1[\\d]{10}-"+UUID_REGEX+"-"+UUID_REGEX+"$";
diff --git a/bubble-server/src/main/java/bubble/model/device/BubbleDeviceType.java b/bubble-server/src/main/java/bubble/model/device/BubbleDeviceType.java
index aab542d4..b6af556e 100644
--- a/bubble-server/src/main/java/bubble/model/device/BubbleDeviceType.java
+++ b/bubble-server/src/main/java/bubble/model/device/BubbleDeviceType.java
@@ -25,6 +25,7 @@ public enum BubbleDeviceType {
     android       (CertType.cer, true, DeviceSecurityLevel.basic),
     linux         (CertType.crt, true, DeviceSecurityLevel.standard),
     firefox       (CertType.crt, false),
+    web_client    (null, false, DeviceSecurityLevel.disabled),
     other         (null, true, DeviceSecurityLevel.basic);
 
     @Getter private final CertType certType;
@@ -36,6 +37,9 @@ public enum BubbleDeviceType {
 
     @JsonCreator public static BubbleDeviceType fromString (String v) { return enumFromString(BubbleDeviceType.class, v); }
 
+    public boolean isNonVpnDevice () { return this == web_client; }
+    public boolean isVpnDevice () { return !isNonVpnDevice(); }
+
     @Getter(lazy=true) private static final List<BubbleDeviceType> selectableTypes = initSelectable();
     private static List<BubbleDeviceType> initSelectable() {
         return Arrays.stream(values())
diff --git a/bubble-server/src/main/java/bubble/model/device/Device.java b/bubble-server/src/main/java/bubble/model/device/Device.java
index dbce006f..93fff6bc 100644
--- a/bubble-server/src/main/java/bubble/model/device/Device.java
+++ b/bubble-server/src/main/java/bubble/model/device/Device.java
@@ -4,7 +4,6 @@
  */
 package bubble.model.device;
 
-import bubble.ApiConstants;
 import bubble.model.account.Account;
 import bubble.model.account.HasAccount;
 import bubble.model.cloud.BubbleNetwork;
@@ -22,10 +21,10 @@ import org.hibernate.annotations.Type;
 
 import javax.persistence.*;
 import javax.validation.constraints.Size;
-
 import java.io.File;
 
 import static bubble.ApiConstants.EP_DEVICES;
+import static bubble.ApiConstants.HOME_DIR;
 import static bubble.model.device.BubbleDeviceType.other;
 import static bubble.model.device.BubbleDeviceType.uninitialized;
 import static java.util.UUID.randomUUID;
@@ -51,10 +50,10 @@ public class Device extends IdentifiableBase implements HasAccount {
     public static final String UNINITIALIZED_DEVICE = "__uninitialized_device__";
     public static final String UNINITIALIZED_DEVICE_LIKE = UNINITIALIZED_DEVICE+"%";
 
-    public static final String VPN_CONFIG_PATH = ApiConstants.HOME_DIR + "/configs/localhost/wireguard/";
+    public static final String VPN_CONFIG_PATH = HOME_DIR + "/configs/localhost/wireguard/";
 
-    public File qrFile () { return new File(Device.VPN_CONFIG_PATH+getUuid()+".png"); }
-    public File vpnConfFile () { return new File(Device.VPN_CONFIG_PATH+getUuid()+".conf"); }
+    public File qrFile () { return new File(VPN_CONFIG_PATH+getUuid()+".png"); }
+    public File vpnConfFile () { return new File(VPN_CONFIG_PATH+getUuid()+".conf"); }
     public boolean configsOk () { return qrFile().exists() && vpnConfFile().exists(); }
 
     public Device (Device other) { copy(this, other, CREATE_FIELDS); }
diff --git a/bubble-server/src/main/java/bubble/resources/account/TrustedAuthResource.java b/bubble-server/src/main/java/bubble/resources/account/TrustedAuthResource.java
index 6c812126..d04347ea 100644
--- a/bubble-server/src/main/java/bubble/resources/account/TrustedAuthResource.java
+++ b/bubble-server/src/main/java/bubble/resources/account/TrustedAuthResource.java
@@ -8,8 +8,10 @@ import bubble.dao.SessionDAO;
 import bubble.dao.account.AccountDAO;
 import bubble.dao.account.AccountPolicyDAO;
 import bubble.dao.account.TrustedClientDAO;
+import bubble.dao.device.DeviceDAO;
 import bubble.model.account.*;
 import bubble.model.account.message.ActionTarget;
+import bubble.model.device.Device;
 import bubble.service.account.StandardAuthenticatorService;
 import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
@@ -21,7 +23,6 @@ import javax.validation.Valid;
 import javax.ws.rs.*;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.Response;
-import java.util.List;
 
 import static bubble.ApiConstants.EP_DELETE;
 import static bubble.resources.account.AuthResource.newLoginSession;
@@ -41,6 +42,7 @@ public class TrustedAuthResource {
 
     @Autowired private AccountDAO accountDAO;
     @Autowired private AccountPolicyDAO policyDAO;
+    @Autowired private DeviceDAO deviceDAO;
     @Autowired private SessionDAO sessionDAO;
     @Autowired private StandardAuthenticatorService authenticatorService;
     @Autowired private TrustedClientDAO trustedClientDAO;
@@ -55,10 +57,20 @@ public class TrustedAuthResource {
         final Account account = validateAccountLogin(request.getEmail(), request.getPassword());
         if (!account.getUuid().equals(caller.getUuid())) return notFound(request.getEmail());
 
+        final Device device = deviceDAO.findByAccountAndId(account.getUuid(), request.getDevice());
+        if (device == null) return notFound(request.getDevice());
+
+        // is there an existing trusted client for this device?
+        final TrustedClient existing = trustedClientDAO.findByAccountAndDevice(account.getUuid(), device.getUuid());
+        if (existing != null) return invalid("err.device.alreadyTrusted");
+
         final AccountPolicy policy = policyDAO.findSingleByAccount(account.getUuid());
         authenticatorService.ensureAuthenticated(ctx, policy, ActionTarget.account);
 
-        return ok(new TrustedClientResponse(trustedClientDAO.create(new TrustedClient().setAccount(account.getUuid())).getTrustId()));
+        final TrustedClient trusted = new TrustedClient()
+                .setAccount(account.getUuid())
+                .setDevice(device.getUuid());
+        return ok(new TrustedClientResponse(trustedClientDAO.create(trusted).getTrustId()));
     }
 
     @POST
@@ -75,15 +87,17 @@ public class TrustedAuthResource {
         return ok(account.setToken(newLoginSession(account, accountDAO, sessionDAO)));
     }
 
-    @POST @Path(EP_DELETE)
+    @DELETE @Path(EP_DELETE+"/{device}")
     public Response removeTrustedClient(@Context ContainerRequest ctx,
-                                        @Valid TrustedClientLoginRequest request) {
+                                        @PathParam("device") String deviceId) {
         final Account caller = userPrincipal(ctx);
-        final Account validated = validateAccountLogin(request.getEmail(), request.getPassword());
-        if (!validated.getUuid().equals(caller.getUuid())) return notFound(request.getEmail());
 
-        final Account account = validateTrustedCall(request);
-        final TrustedClient trusted = findTrustedClient(account, request);
+        final Device device = deviceDAO.findByAccountAndId(caller.getUuid(), deviceId);
+        if (device == null) return notFound(deviceId);
+
+        final TrustedClient trusted = trustedClientDAO.findByAccountAndDevice(caller.getUuid(), device.getUuid());
+        if (trusted == null) return notFound(deviceId);
+
         trustedClientDAO.delete(trusted.getUuid());
         return ok_empty();
     }
@@ -116,9 +130,12 @@ public class TrustedAuthResource {
     }
 
     private TrustedClient findTrustedClient(Account account, TrustedClientLoginRequest request) {
-        final List<TrustedClient> trustedClients = trustedClientDAO.findByAccount(account.getUuid());
-        final TrustedClient trusted = trustedClients.stream().filter(c -> c.isValid(request)).findFirst().orElse(null);
+        final TrustedClient trusted = trustedClientDAO.findByAccountAndDevice(account.getUuid(), request.getDevice());
         if (trusted == null) {
+            log.warn("findTrustedClient: no TrustedClient found for device");
+            throw notFoundEx(request.getDevice());
+        }
+        if (!trusted.isValid(request)) {
             log.warn("findTrustedClient: no TrustedClient found for salt/hash");
             throw notFoundEx(request.getTrustHash());
         }
diff --git a/bubble-server/src/main/resources/ansible/roles/mitmproxy/tasks/main.yml b/bubble-server/src/main/resources/ansible/roles/mitmproxy/tasks/main.yml
index 4c04ff45..531bb521 100644
--- a/bubble-server/src/main/resources/ansible/roles/mitmproxy/tasks/main.yml
+++ b/bubble-server/src/main/resources/ansible/roles/mitmproxy/tasks/main.yml
@@ -46,7 +46,7 @@
     group: mitmproxy
     mode: 0600
 
-- name: Install mitmproxy_monitor supervisor conf file
+- name: Install mitm_monitor supervisor conf file
   copy:
     src: supervisor_mitm_monitor.conf
     dest: /etc/supervisor/conf.d/mitm_monitor.conf
diff --git a/bubble-server/src/main/resources/db/migration/V2020080301__add_trusted_client_device.sql b/bubble-server/src/main/resources/db/migration/V2020080301__add_trusted_client_device.sql
new file mode 100644
index 00000000..d39629b1
--- /dev/null
+++ b/bubble-server/src/main/resources/db/migration/V2020080301__add_trusted_client_device.sql
@@ -0,0 +1,8 @@
+
+DELETE FROM trusted_client;
+ALTER TABLE ONLY trusted_client ADD COLUMN device character varying(100) NOT NULL;
+
+CREATE INDEX trusted_client_idx_device ON trusted_client USING btree (device);
+CREATE UNIQUE INDEX trusted_client_uniq_account_device ON trusted_client USING btree (account, device);
+
+ALTER TABLE ONLY trusted_client ADD CONSTRAINT trusted_client_fk_device FOREIGN KEY (device) REFERENCES device(uuid);
diff --git a/bubble-server/src/main/resources/message_templates/en_US/server/post_auth/ResourceMessages.properties b/bubble-server/src/main/resources/message_templates/en_US/server/post_auth/ResourceMessages.properties
index 452619ea..5d60ee0f 100644
--- a/bubble-server/src/main/resources/message_templates/en_US/server/post_auth/ResourceMessages.properties
+++ b/bubble-server/src/main/resources/message_templates/en_US/server/post_auth/ResourceMessages.properties
@@ -842,10 +842,6 @@ err.suspended.cannotSuspendSelf=You cannot suspend yourself
 err.tag.invalid=Tag is invalid
 err.tagsJson.length=Too many tags
 err.tagString.length=Too many tags
-err.trustHash.required=trustHash is required
-err.trustHash.invalid=trustHash is not valid
-err.trustSalt.required=trustSalt is required
-err.trustSalt.invalid=trustSalt is not valid
 err.tgzB64.invalid.noRolesDir=No roles directory found in tgz
 err.tgzB64.invalid.wrongNumberOfFiles=Wrong number of files in tgz base directory
 err.tgzB64.invalid.missingTasksMainYml=No tasks/main.yml file found for role in tgz
diff --git a/bubble-server/src/main/resources/message_templates/en_US/server/pre_auth/ResourceMessages.properties b/bubble-server/src/main/resources/message_templates/en_US/server/pre_auth/ResourceMessages.properties
index 4035caa8..396c44fc 100644
--- a/bubble-server/src/main/resources/message_templates/en_US/server/pre_auth/ResourceMessages.properties
+++ b/bubble-server/src/main/resources/message_templates/en_US/server/pre_auth/ResourceMessages.properties
@@ -411,6 +411,14 @@ message_resetPassword_sent=Password Reset Message Successfully Sent
 # App Login
 message_authenticating_app_login=Authenticating session...
 
+# Trusted devices
+err.trustHash.required=trustHash is required
+err.trustHash.invalid=trustHash is not valid
+err.trustSalt.required=trustSalt is required
+err.trustSalt.invalid=trustSalt is not valid
+err.device.required=Device is required
+err.device.alreadyTrusted=Device is already trusted
+
 # Payment methods
 payment_description_credit=Credit or Debit Card
 payment_description_code=Invitation Code
diff --git a/bubble-server/src/test/resources/models/tests/auth/totp_auth.json b/bubble-server/src/test/resources/models/tests/auth/totp_auth.json
index d28f75b6..4e598f7f 100644
--- a/bubble-server/src/test/resources/models/tests/auth/totp_auth.json
+++ b/bubble-server/src/test/resources/models/tests/auth/totp_auth.json
@@ -123,6 +123,21 @@
     }
   },
 
+  {
+    "comment": "create web client device",
+    "request": {
+      "uri": "me/devices",
+      "method": "put",
+      "entity": {
+        "name": "firefox-{{rand 10}}",
+        "deviceType": "web_client"
+      }
+    },
+    "response": {
+      "store": "device"
+    }
+  },
+
   {
     "comment": "login a third time with new session, TOTP still required",
     "request": {
@@ -149,7 +164,8 @@
       "method": "put",
       "entity": {
         "name": "{{userAccount.name}}",
-        "password": "foobar1!"
+        "password": "foobar1!",
+        "device": "{{device.uuid}}"
       }
     },
     "response": {
@@ -178,6 +194,7 @@
       "entity": {
         "name": "{{userAccount.name}}",
         "password": "foobar1!",
+        "device": "{{device.uuid}}",
         "trustHash": "{{sha256expr '[[serverTime]]-392f466c-cd17-11ea-bf46-0bb4a63a0769-[[trusted.id]]'}}",
         "trustSalt": "{{serverTime}}-392f466c-cd17-11ea-bf46-0bb4a63a0769"
       }
@@ -202,44 +219,11 @@
     }
   },
 
-  {
-    "comment": "remove trust for this device, fails because we used the same serverTime",
-    "request": {
-      "uri": "auth/trust/delete",
-      "entity": {
-        "name": "{{userAccount.name}}",
-        "password": "foobar1!",
-        "trustHash": "{{sha256expr '[[serverTime]]-392f466c-cd17-11ea-bf46-0bb4a63a0769-[[trusted.id]]'}}",
-        "trustSalt": "{{serverTime}}-392f466c-cd17-11ea-bf46-0bb4a63a0769"
-      }
-    },
-    "response": {
-      "status": 422,
-      "check": [
-        {"condition": "json.has('err.trustHash.invalid')"}
-      ]
-    }
-  },
-
-  {
-    "comment": "get updated server time",
-    "request": {
-      "uri": "auth/time"
-    },
-    "response": { "store": "serverTime" }
-  },
-
-
   {
     "comment": "remove trust for this device, succeeds",
     "request": {
-      "uri": "auth/trust/delete",
-      "entity": {
-        "name": "{{userAccount.name}}",
-        "password": "foobar1!",
-        "trustHash": "{{sha256expr '[[serverTime]]-392f466c-cd17-11ea-bf46-0bb4a63a0769-[[trusted.id]]'}}",
-        "trustSalt": "{{serverTime}}-392f466c-cd17-11ea-bf46-0bb4a63a0769"
-      }
+      "uri": "auth/trust/delete/{{device.uuid}}",
+      "method": "delete"
     }
   },
 
diff --git a/utils/cobbzilla-wizard b/utils/cobbzilla-wizard
index 360ea806..121fc1cc 160000
--- a/utils/cobbzilla-wizard
+++ b/utils/cobbzilla-wizard
@@ -1 +1 @@
-Subproject commit 360ea8067406a3babdf8cd6488a4f5c391ac36bf
+Subproject commit 121fc1cc39ff487d74f9000658ba9138e18e9267