Agent identity and keys, kept explicit.
Identity and keys are the trust layer beneath the rest of the control plane. They tell the system who is speaking, which tenant it belongs to, and what can be rotated without breaking rollout.
Keep the enrollment story short: what is the client, how is it trusted, and how is that trust rotated.
Bind a machine or workspace to a tenant with explicit trust.
Identity tells you who the client is and which agent instance it belongs to.
A stable agent record with name, tenant, workspace, and host mapping.
Keys used to authenticate sync clients and support local operations.
A trust bundle can be rotated without changing the product model.
A short-lived path to bootstrap a new client safely.
Show what is verified, what is pending, and what can be rotated.
Teams can answer trust questions quickly without opening implementation details.
Which user or team owns this agent and the keys attached to it.
How to replace a key without breaking the agent's place in the fleet.
How to disable a stale trust path before it becomes a problem.
The same object model works for SaaS, NAS, and self-hosted installs.