Appearance

Cloud Proxy

The shipped Cloud Proxy surface is a sysadmin onboarding flow for routing managed devices through ai.flowstate.inc.

You provision one org telemetry key, save it in your MDM secret store, and deploy a proxy payload that sets HTTP_PROXY and HTTPS_PROXY for the device. Each device authenticates to the proxy with the user's email as the Basic Auth username and the org telemetry key as the password, so Flowstate can meter traffic by subject without issuing one key per person.

Use this when you need a fleet-level network route and subject meter. Use the Flowstate Agent when you need full AI request capture, prompt-quality scoring, and request-time enforcement.

What ships today

The page at Settings -> AI -> Cloud Proxy gives admins four controls:

SurfaceWhat it does
Connection statusShows Not configured, Pending, or Active, plus first and last capture timestamps when available.
Org telemetry keyProvisions a reveal-once org key and lets you re-provision to rotate it.
MDM payloadsCopy-paste payloads for Jamf Pro, Intune, Kandji, Mosyle, Google Workspace, JumpCloud, and a shell-only fallback.
Subject meterCurrent-month request counts, quotas, and overage units per subject.

The shipped flow is not a per-tool base_url integration. The public setup path is the MDM/network-proxy flow above.

Architecture

text
Managed device or tool
  HTTP_PROXY / HTTPS_PROXY = https://<user-email>:<org-key>@ai.flowstate.inc
        |
        v
ai.flowstate.inc
  authenticate org key + subject email
  forward proxy traffic
  update connection status and subject meter
        |
        v
AI provider

The Cloud Proxy does not make a network-proxy tunnel equivalent to Agent Enterprise capture. In this shipped mode, Flowstate records proxy authentication and metering data; it does not store prompt bodies, response bodies, attachments, cookies, or vendor API keys from the encrypted provider connection.

Quickstart

  1. Open Settings -> AI -> Cloud Proxy.
  2. Click Provision org key. Copy the cleartext value immediately; it is shown once.
  3. Save that value in your MDM as the secret referenced by the generated payload, typically MDM_FLOWSTATE_KEY or your MDM's equivalent secret name.
  4. Pick the MDM tab that matches your fleet and deploy the payload.
  5. Make one proxy-routed request from a managed device, then watch the page move from Pending to Active and populate the subject meter.

For copy-paste examples and verification commands, see Install the cloud proxy.

Cloud Proxy vs Agent

Cloud ProxyFlowstate Agent
Install shapeMDM payload sets HTTP_PROXY / HTTPS_PROXYOS package installs a daemon
Key modelOne org key, user email supplied per deviceOne org key plus agent-managed device context
Root certificateNot required for the shipped proxy-metering flowRequired for managed TLS inspection modes
Works for tools that honor proxy settingsYesYes
Works for tools that bypass proxy settingsNoUsually, depending on platform capture mode
Prompt and response body captureNo in shipped Cloud Proxy network modeYes in Enterprise capture mode
Prompt-quality scoring and content DLPNo from Cloud Proxy network mode aloneYes in Enterprise capture mode
Request-time policy blockingNo from Cloud Proxy network mode aloneYes when Agent enforcement is enabled
Current-month subject request meterYesAgent traffic can also feed AI insights

What Gets Metered

The subject meter is based on the proxy-authenticated request stream. It is designed for operational rollout and quota visibility:

  • subject identifier from the Basic Auth username, normally the user's work email;
  • org key prefix and key status;
  • first and last seen timestamps;
  • current-month request totals, quotas, and overage units.

Provider invoice reconciliation is separate. Connect vendor billing APIs at Usage providers to reconcile spend against provider-side records.

Where to Go Next

Flowstate Documentation

Copyright 2026 Flowstate.