Roll it out
Create an enrollment token
In the dashboard, go to Fleet → Enrollment Tokens and create one. You can
limit it by platform and set a max number of uses or an expiry. The token is
shown once — copy it then.
Each device redeems it
Employees run one command (or your MDM runs it for them):The device receives a scan-only credential bound to your organization’s
fleet — no shared secret, no per-employee account needed.
Activity rolls up to you
Every verdict is tagged with the device and surface (
desktop / browser).
Admins see the whole fleet’s AI activity in one place; employees never see
each other’s data.Why per-device credentials
Least privilege
Device credentials can only scan — even if one leaked, it can’t reach
management or proxy endpoints.
Clean attribution
See which employee triggered a block, via a per-device label — no separate
user account required.
Scoped visibility
Fleet activity is visible to your org’s admins only, never through a shared
key.
For automation
If you’re scripting enrollment or building tooling, these are the endpoints behind the dashboard:| Action | Endpoint |
|---|---|
| Create an enrollment token (admin) | POST /dashboard/fleet/enrollment-tokens |
| Redeem a token (device) | POST /api/v1/enroll |
| List or revoke devices | GET / DELETE /dashboard/fleet/devices |
| Register a self-hosted engine instance (admin) | POST /dashboard/fleet/instances |
Next steps
Choose where your data runs
Keep the engine in our cloud, on your own infrastructure, or fully air-gapped.