> ## Documentation Index
> Fetch the complete documentation index at: https://docs.promptguard.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Fleet Enrollment

> Roll Shadow AI out to your whole team — each device gets its own scoped, revocable credential, and you see all AI activity in one dashboard.

Fleet enrollment is how an admin deploys Shadow AI across many employees at
once. Instead of handing out a shared API key, each device redeems a one-time
token for **its own least-privilege credential** — so you can attribute activity
per employee and revoke any single device instantly, without touching the rest.

## Roll it out

<Steps>
  <Step title="Create an enrollment token">
    In the dashboard, go to **Fleet → Enrollment Tokens** and create one. You can
    limit it by platform and set a max number of uses or an expiry. The token is
    shown **once** — copy it then.
  </Step>

  <Step title="Each device redeems it">
    Employees run one command (or your MDM runs it for them):

    ```bash theme={"system"}
    pgshadow enroll <token>
    ```

    The device receives a **scan-only** credential bound to your organization's
    fleet — no shared secret, no per-employee account needed.
  </Step>

  <Step title="Activity rolls up to you">
    Every verdict is tagged with the device and surface (`desktop` / `browser`).
    Admins see the whole fleet's AI activity in one place; employees never see
    each other's data.
  </Step>

  <Step title="Revoke any device in one click">
    **Fleet → Devices → Revoke.** That device's credential is deactivated
    immediately and its next request is rejected — the rest of the fleet is
    unaffected.
  </Step>
</Steps>

## Why per-device credentials

<CardGroup cols={3}>
  <Card title="Least privilege" icon="key">
    Device credentials can only **scan** — even if one leaked, it can't reach
    management or proxy endpoints.
  </Card>

  <Card title="Clean attribution" icon="user-check">
    See which employee triggered a block, via a per-device label — no separate
    user account required.
  </Card>

  <Card title="Scoped visibility" icon="building-lock">
    Fleet activity is visible to your org's admins only, never through a shared
    key.
  </Card>
</CardGroup>

## For automation

If you're scripting enrollment or building tooling, these are the endpoints
behind the dashboard:

| Action                                         | Endpoint                                  |
| ---------------------------------------------- | ----------------------------------------- |
| Create an enrollment token (admin)             | `POST /dashboard/fleet/enrollment-tokens` |
| Redeem a token (device)                        | `POST /api/v1/enroll`                     |
| List or revoke devices                         | `GET` / `DELETE /dashboard/fleet/devices` |
| Register a self-hosted engine instance (admin) | `POST /dashboard/fleet/instances`         |

See the [API Reference](/api-reference/introduction) for full request and
response schemas.

## Next steps

<Card title="Choose where your data runs" icon="cloud" href="/shadow-ai/deployment-modes">
  Keep the engine in our cloud, on your own infrastructure, or fully air-gapped.
</Card>
