Toktra monitors LLM usage on every enrolled endpoint in your fleet. The Devices page (Documentation Index
Fetch the complete documentation index at: https://docs.toktra.dev/llms.txt
Use this file to discover all available pages before exploring further.
DevicesPage) gives you a live inventory of agents, their status, and certificate health — and flags unmanaged devices that are using AI tools outside your visibility.
Viewing enrolled devices
Navigate to Devices in the sidebar. The table shows every device the Toktra agent has enrolled against your organization.| Column | Description |
|---|---|
| Hostname | The device’s hostname as reported by the agent |
| Platform | Operating system: macos, windows, or linux |
| Agent Version | Installed agent version |
| Status | Enrolled (active mTLS cert) or Pending (cert not yet issued) |
| Lock | Whether the device has been locked via an emergency lockout |
| Last Seen | Timestamp of the most recent telemetry check-in |
Device status reference
Enrolled
Enrolled
The agent holds a valid device certificate and is actively transmitting telemetry. All LLM usage from this device is visible in the Usage dashboard.
Pending
Pending
The agent has contacted the enrollment endpoint but the certificate signing request (CSR) has not yet been approved, or the signed certificate has not been delivered to the device. This state usually resolves within a few seconds on first boot.
Locked
Locked
A lockout has been applied to this device — either via the Emergency Lockout page or automatically via the Okta or HRIS integration. The agent blocks outbound LLM connections until the lock is manually lifted.
Device certificate lifecycle
Every enrolled device holds an X.509 device certificate issued by the Toktra Intermediate CA. The certificate is stored in the platform Keychain (macOS) or Windows Certificate Store (Windows) and is never written to disk in plain text. Key facts:- Validity period: 90 days from issuance.
- Auto-renewal: The agent requests a new certificate when fewer than 14 days remain. Renewal is transparent — telemetry continues uninterrupted.
- mTLS authentication: Every telemetry batch is authenticated using the device certificate. A device with an invalid or revoked certificate cannot connect to Toktra.
Toktra uses the Intermediate CA for day-to-day issuance. The Root CA is kept offline. If a certificate chain is compromised, the Intermediate CA can be rotated without reissuing the Root CA.
Revoking a device certificate
Revoke a certificate when a device is decommissioned, lost, or stolen.Find the device
On the Devices page, locate the device by hostname. Use the Last Seen column to find stale devices.
Re-enrolling a device
After a revocation, the agent re-enrolls automatically at startup if the existing certificate is absent or invalid.Confirm the old certificate is revoked
Verify the device row shows Pending or is absent from the table.
Restart the agent on the endpoint
The agent generates a new key pair, sends a CSR, and receives a new signed certificate. The device returns to Enrolled status.
Unmanaged device detection (shadow AI)
Toktra compares usage data received from provider admin APIs against device telemetry. Any provider usage that cannot be attributed to an enrolled, managed device is flagged as unmanaged. This is the shadow AI detection signal: it surfaces employees using ChatGPT, Claude, or other LLM tools from personal devices, home networks, or channels that bypass the corporate agent. How it works:- Provider pollers (OpenAI, Anthropic, Azure, GCP Vertex AI) pull authoritative token counts from provider admin APIs.
- Toktra matches those counts against device telemetry by user identity.
- Residual usage — provider-reported tokens with no corresponding device event — is classified as unmanaged.
Toktra never inspects prompt content. Unmanaged device detection is based on token count metadata only.