Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.promptguard.co/llms.txt

Use this file to discover all available pages before exploring further.

Fleet enrollment lets an org admin roll Shadow AI out to many employees and see the whole fleet in one dashboard — with least-privilege, per-device credentials that can be revoked individually.

How it works

1

Admin mints an enrollment token

In the dashboard (Fleet → Enrollment Tokens) an admin creates a token, optionally restricted by platform and with a max-use / expiry. The raw token is shown once.
2

Each device redeems it

The agent calls POST /api/v1/enroll (or pgshadow enroll <token>) and receives a scan-only credential bound to the org’s fleet project. The browser extension is configured with the same credential.
3

Events roll up to the dashboard

Every scan is tagged with the device and surface=desktop|browser. Admins see all enrolled employees’ activity; non-admins never see colleagues’ data.
4

Revoke any device instantly

Fleet → Devices → revoke. The device’s credential is deactivated and its next scan is rejected.

Security properties

  • Least privilege — device credentials carry a scan scope only; they cannot reach proxy or management endpoints even if stolen.
  • Per-employee attribution — via an end-user label, without requiring a user account per employee.
  • Org-scoped visibility — fleet events are visible to org admins only; the read path is bound to the organization, never a shared key.

API

ActionEndpoint
Mint enrollment tokenPOST /dashboard/fleet/enrollment-tokens (admin)
Redeem (device)POST /api/v1/enroll
List / revoke devicesGET / DELETE /dashboard/fleet/devices
Register a self-hosted instancePOST /dashboard/fleet/instances (admin)
See the API Reference for full schemas.