Toktra is built on a simple principle: observe what AI tools are being used, by whom, and how much — without ever reading what’s being said. Here’s how data moves from a device to your dashboard.Documentation Index
Fetch the complete documentation index at: https://docs.toktra.dev/llms.txt
Use this file to discover all available pages before exploring further.
The data flow
The agent observes outbound connections
When a user on an enrolled device sends a request to an LLM provider — ChatGPT, Claude, Copilot, or any supported service — the Toktra agent sees the outbound TLS connection before it’s encrypted.The agent reads the SNI (Server Name Indication) field from the TLS handshake. SNI is a plain-text extension that tells the server which hostname the client wants to connect to. It’s present in every TLS connection and contains only the destination hostname — the agent never sees the encrypted request body or response content.The agent also records:
- Byte counts (request size and response size)
- Connection timing
- The local user account making the request
api.openai.com, api.anthropic.com, and others), then estimates token counts from the byte counts using provider-specific ratios.Events are transmitted securely
The agent buffers events locally and sends them in encrypted batches to Toktra’s cloud over mutual TLS (mTLS).Both sides authenticate: Toktra’s servers present a certificate, and the agent presents its device certificate — signed by Toktra’s certificate authority during enrollment. A device without a valid certificate cannot connect.
Toktra processes and stores events
Toktra’s cloud backend validates the device certificate, confirms the device belongs to your organization, and enriches each event with user and device metadata before storing it for analytics.Events are classified by provider, model, and usage category in real time.
Shadow AI detection
The data flow above covers usage on managed devices — machines where you’ve installed the Toktra agent. But what about employees using AI tools on personal laptops, phones, or via accounts you didn’t provision? Toktra detects this through provider API reconciliation. Toktra polls the admin APIs of supported providers — OpenAI, Anthropic, Azure OpenAI, and Google Cloud Vertex AI — to retrieve your organization’s total usage directly from the provider. It then compares that total against the usage your agents reported from managed devices. If the provider reports more usage than your agents saw, the difference represents activity on unmanaged devices. Toktra surfaces this gap in the dashboard so you know shadow AI is happening, even if you can’t attribute it to a specific person.Provider API reconciliation requires API keys for each provider’s admin/organization API. You configure these in Settings → Provider Connections.
Real-time dashboard updates
Usage data appears in the dashboard within seconds of a request being made. The pipeline is designed for low latency:- Agent batching window: 50 events or 5 seconds
- Cloud ingestion: sub-second
- Analytics pipeline: near real-time
What Toktra never does
- Never decrypts TLS traffic. The SNI hostname is read from the unencrypted TLS handshake header. The encrypted payload is never touched.
- Never captures prompt content. The agent records byte counts and timing, not request or response bodies.
- Never blocks traffic. The macOS Network Extension and Windows WFP driver are observation-only. All traffic is permitted.
- Never shares data across tenants. Every data store is scoped to your organization — cross-tenant access is architecturally prevented.