Workstations

Fleet management for every AI-agent workstation in your organization. Know who is using agents, what they are working on, whether their environment is hardened, and which versions are deployed from a single dashboard.

Why fleet visibility matters

AI coding agents give developers extraordinary power. A single session can read files, execute shell commands, make web requests, and modify your codebase. Without centralized visibility, security teams are blind to:

How many developers are using Claude Code, Cursor, Codex, Gemini CLI, Windsurf, Copilot, or Cowork.
Whether sandbox mode and hook coverage are healthy across the fleet.
Which workstations are running outdated versions with known issues
What projects agents are operating on right now

Agent Keeper Workstations solves this. Each connected agent reports a heartbeat and source badge, giving you real-time fleet intelligence with minimal developer friction.

How it works

When a developer starts a Claude Code session, the SessionStart hook fires an HTTP request to POST /api/v1/claude-code/checkin. This call:

Authenticates the request using the API key in the hook configuration
Extracts identity: hostname from the X-Hostname header or derived from the working directory (e.g., /Users/jimmy/project yields jimmy)
Creates or updates the workstation record in the database with platform, Claude Code version, sandbox status, and git remote
Records a session with the working directory, git remote URL, and session ID for activity tracking
Returns the shield policy so the Claude Code session knows the enforcement configuration (strict/moderate, warn/block)

Subsequent hook calls (PreToolUse, PostToolUse) update the heartbeat timestamp, keeping the online status current throughout the session.

Developer starts Claude Code
        |
        v
SessionStart hook fires -> POST /api/v1/claude-code/checkin
        |
        v
Host record created/updated in database
        |
        v
Shield policy returned to session context
        |
        v
PreToolUse / PostToolUse hooks keep heartbeat alive

No manual registration. The developer installs the plugin or hook config, and their workstation appears in your fleet automatically.

Fleet table

The Workstations page at /claude-code displays every registered workstation in a sortable table.

Column	Description
Status	Green dot = online (heartbeat within 15 minutes). Gray = offline. Lock icon = over plan limit.
Workstation	Hostname of the machine. Clickable link to host detail page. Shows source badges for each connected agent surface.
Developer	Username derived from the session's working directory, or enriched with full name from Identity Provider directory sync.
Platform	macOS, Linux, or Windows.
Version	Agent runtime version when reported. Amber badge appears when a newer version exists in the fleet.
Sandbox	Whether sandbox or equivalent hardening is enabled where the agent reports it. Green = on, amber = off.
Project	Current project extracted from the git remote URL or working directory of the most recent session.
Sessions (7d)	Number of Claude Code sessions started on this workstation in the last 7 days.
Last seen	Relative timestamp of the last heartbeat (e.g., "3m ago", "2h ago").

Active sessions are shown inline next to the hostname when a developer is currently working.

Source filtering

Filter buttons appear above the table for every connected source: Claude Code, Cursor, Codex, Gemini CLI, Windsurf, Copilot, and Cowork. Each filter shows a count badge. Workstations connected to multiple products show multiple source badges.

Fleet stats

Four stat cards sit above the fleet table, giving you an at-a-glance health summary:

Stat	What it shows
Online workstations	Count of workstations with a heartbeat in the last 15 minutes, out of total registered.
Active developers	Unique developer count across all recent sessions.
Need update	Number of workstations running an older Claude Code version than the newest in your fleet. Shows green "All current" when everyone is on the same version.
Sandbox adoption	Percentage of workstations with sandbox mode enabled. Green when 100%, amber otherwise.

Version distribution

When your fleet runs multiple Claude Code versions, a visual bar chart appears below the stat cards. Each version gets a colored segment proportional to its count, so you can see at a glance how fragmented your fleet is and who needs to update.

Workstation limits by plan

All workstations register regardless of plan, they appear in the fleet table so you always have full visibility. Workstations beyond your plan limit are locked: visible but not clickable, with an "Upgrade" link instead of host detail access.

Plan	Monitored workstations	Price
Free	1	$0
Pro	3	$19/mo
Team	Unlimited	$29/seat/mo (min 3 seats)
Enterprise	Unlimited	Custom

Locked workstations still register via SessionStart and show in the fleet table with a lock icon and dimmed styling. This is intentional, you can see your full fleet size to understand the value of upgrading before you commit. The upgrade banner shows exactly how many workstations are monitored vs. total.

Upgrade your plan

Onboarding

First-time users who visit the Workstations page see a wizard-style setup flow instead of an empty table. The wizard:

Asks which agent surface you are securing.
Shows the recommended setup path for that surface.
Generates an API key inline with a one-click button, no need to navigate to Settings.
Shows the connect command for Claude Code or links to the relevant setup guide for other agents.
Polls for the first workstation and auto-refreshes the page when it connects.

For team deployments, use GitHub Repo Hooks, JAMF, or Kandji to distribute hooks without relying on each developer to install them manually.

Hooks configuration

Under the setup wizard, an advanced panel shows the raw hooks JSON configuration with your API key pre-filled. This is the configuration that gets written to .claude/settings.json (project) or ~/.claude/settings.json (global):

{
  "hooks": {
    "UserPromptSubmit": [
      { "matcher": "*", "hooks": [{ "type": "http", "url": "https://YOUR_AGENTKEEPER_URL/api/v1/claude-code/evaluate", "headers": { "Authorization": "Bearer ak_live_..." }, "timeout": 10 }] }
    ],
    "PreToolUse": [
      { "matcher": "Bash|Edit|Write|Read|Glob|Grep|WebFetch|WebSearch", "hooks": [{ "type": "http", "url": "https://YOUR_AGENTKEEPER_URL/api/v1/claude-code/evaluate", "headers": { "Authorization": "Bearer ak_live_..." }, "timeout": 10 }] }
    ],
    "PostToolUse": [
      { "matcher": "Bash|Edit|Write|Read|Glob|Grep|WebFetch|WebSearch", "hooks": [{ "type": "http", "url": "https://YOUR_AGENTKEEPER_URL/api/v1/claude-code/audit", "headers": { "Authorization": "Bearer ak_live_..." }, "timeout": 10 }] }
    ],
    "SessionStart": [
      { "matcher": "*", "hooks": [{ "type": "http", "url": "https://YOUR_AGENTKEEPER_URL/api/v1/claude-code/checkin", "headers": { "Authorization": "Bearer ak_live_..." }, "timeout": 10 }] }
    ]
  }
}

A copy button lets developers paste the entire configuration in one step.

Adding workstations

The Add workstation button in the top-right corner opens a slide-out panel with the same guided setup flow as onboarding. This is useful when onboarding new team members or setting up additional machines.

The Add workstation flow supports Claude Code, Cursor, Codex, Gemini CLI, Windsurf, GitHub Copilot Agent Mode, and Claude Cowork from the same panel. Pick the agent surface, follow the guide, and wait for the first check-in.

Developer identity enrichment

When your organization has an Identity Provider connected (Okta, Azure AD, Google Workspace, etc.) via the Identity Providers integration, Agent Keeper enriches the Developer column:

Display name from the directory replaces the raw username
Department and job title appear as secondary text below the name
Matching uses the session's user hint against the directory user's email prefix and display name

This transforms the fleet table from a list of hostnames into a people-centric view of who is using Claude Code and where they sit in the organization.

Session tracking

Every SessionStart creates a session record with:

Hostname and developer username
Claude Code version and OS
Sandbox enabled/disabled
Working directory (cwd)
Git remote URL (the project being worked on)
Start time, last seen time, and end time

Sessions feed the Sessions (7d) column in the fleet table and the sessions today count in the page header. The working directory and git remote are used to determine the current project shown in the fleet table.

Host detail

Clicking a workstation hostname navigates to the host detail page, which provides deeper information:

Overview: shield status, security insights, score history, scan history
Checks: phase-by-phase pass/fail details from connected endpoint telemetry and hook check-ins
Monitoring: shield events, threat detection timeline, active sessions

Each workstation is a full host record in Agent Keeper, meaning it gets the same security intelligence (insights, CVE audit, score tracking) as any other monitored host.

Frequently asked questions

Do developers need to do anything special?

No. Once the plugin is installed or hooks are configured, every new Claude Code session automatically registers with the dashboard. There is no separate "register workstation" step.

What if a developer changes machines?

Each machine gets its own workstation record based on hostname. When a developer moves to a new laptop, the new machine registers as a new workstation. The old one will show as offline after 15 minutes of inactivity.

Can I remove a workstation?

Workstation records are managed from the host detail page. Removing a host removes it from the fleet table. The workstation will re-register on the next Claude Code session unless the hooks are removed.

What data is sent during checkin?

The SessionStart hook sends the working directory, git remote URL, Claude Code version, OS platform, sandbox status, and session ID. No file contents, code, or conversation history is transmitted during checkin. Tool-level data is only sent during PreToolUse and PostToolUse hooks for threat detection.

Does this work with the plugin or repo hooks?

Both. The plugin method (/plugin install agentkeeper) and repo-level .claude/settings.json both configure the same SessionStart hook. Workstations register regardless of which installation method was used.

What happens when I exceed my workstation limit?

Extra workstations still register and appear in the fleet table. They are shown with a lock icon and dimmed styling. You can see the hostname, developer, and status, but cannot click through to the host detail page. Upgrade to unlock full access to all workstations.