ockam enroll

ockam enroll [OPTIONS]

The enroll command enrolls your Ockam Identity with Ockam Orchestrator.

It involves multiple steps. In the first step, if you specify an Identity using the --identity argument, the command uses it. If you don't specify an Identity, it checks if you have a default Identity. If you have one, the command uses this default Identity. If you do not have a default Identity, the command generates a new Identity in your default Vault. If you do not have a default Vault, the command creates a new one on your file system, makes it the default Vault, and uses it to store the private keys of your new Identity.

You will also need to use your web browser to type in a one-time code in order to activate the machine you are using to run the enroll command. You will then be required to log in to your Orchestrator account to complete activating this machine. To do so, you can choose to authenticate using GitHub or create a new email and password. If you choose the latter, then you will need to verify your email address.

Orchestrator is a SaaS product that allows remote relays, add-ons integration like Confluent, Okta, etc. If this is your first time signing in, the Orchestrator creates a new dedicated Space and Project for you. A Project offers two services: a Membership Authority and a Relay service.

The enroll command then asks this Project’s Membership Authority to sign and issue a Credential that attests that your Identifier is a member of this Project. Since your account in Orchestrator is the creator and hence first administrator on this new Project, the Membership Authority issues this Credential. The command stores the Credential for later use and exits.


  • --identity [IDENTITY_NAME] (optional)
    The name of an existing Ockam Identity that you wish to enroll. You can use ockam identity list to get a list of existing Identities. To create a new Identity, use ockam identity create. If you don't specify an Identity, and you don't have a default Identity, this command will create a default Identity for you and save it locally in a default Vault

  • --authorization-code-flow (optional)
    This option allows you to bypass pasting the one-time code and confirming device activation, and PKCE (Proof Key for Code Exchange) authorization flow. Please be careful with this option since it will open your default system browser. This option might be useful if you have already enrolled and want to re-enroll using the same account information

  • --force (optional)
    By default this command skips the enrollment process if the Identity you specified (using --identity), or the default Identity, is already enrolled, by checking its status. Use this flag to force the execution of the Identity enrollment process

  • --skip-resource-creation (optional)
    Use this flag to skip creating Orchestrator resources. When you use this flag, we only check whether the Orchestrator resources are created. And if they are not, we will continue without creating them


$ ockam enroll

To create your own identity and enroll with it, run:

ockam identity create my_id
ockam enroll --identity my_id


If you have problems with your enrollment, please run ockam reset --yes && ockam enroll to delete your local state and start again. You can also reach out to us on Discord to ask for help https://discord.ockam.io.