Appearance
Install the cloud proxy
The shipped Cloud Proxy setup is a fleet proxy configuration, not a per-tool SDK override. Set it up from Settings -> AI -> Cloud Proxy, then deploy the generated MDM payload to the devices you want to meter.
Step 1 - Provision the org key
- Go to
Settings -> AI -> Cloud Proxy. - Click Provision org key.
- Copy the cleartext key from the reveal dialog. It is shown once.
- Save it in your MDM secret store. The generated payload refers to it as
MDM_FLOWSTATE_KEYunless you rename the secret in your MDM.
The key is org-scoped. The per-device subject comes from the Basic Auth username in the proxy URL, which the generated MDM payload fills with the user's work email.
To rotate, click Re-provision (rotate) and update the MDM secret. The previous active org key is revoked as part of rotation.
Step 2 - Deploy the MDM payload
Open the MDM tab that matches your fleet and paste the payload into that MDM's configuration surface.
| MDM tab | What the payload sets |
|---|---|
| Jamf Pro | LaunchAgent-style environment for HTTP_PROXY, HTTPS_PROXY, and NO_PROXY. |
| Intune | PowerShell/system environment variables for Windows devices. |
| Kandji | Shell payload writing proxy variables for managed macOS devices. |
| Mosyle | Shell payload writing proxy variables for managed macOS devices. |
| Google Workspace | Managed Chrome/ChromeOS fixed proxy settings. |
| JumpCloud | Shell command payload for managed devices. |
| Shell | Manual fallback for devices without MDM. |
The payloads all use the same proxy shape:
text
https://<user-email>:<org-key>@ai.flowstate.incThe generated payload chooses the right user-email placeholder for the MDM tab you picked. Do not replace that placeholder with a single shared email; subject attribution depends on it being per device or per signed-in user.
Step 3 - Verify a device routes through the proxy
From a device with the payload applied, run a simple request through the proxy. For a manual check:
sh
export FLOWSTATE_PROXY='https://ai.flowstate.inc'
export FLOWSTATE_USER_EMAIL='person@example.com'
export FLOWSTATE_ORG_KEY='<the reveal-once org key>'
curl -sS -i \
--proxy "$FLOWSTATE_PROXY" \
--proxy-user "$FLOWSTATE_USER_EMAIL:$FLOWSTATE_ORG_KEY" \
https://api.openai.com/v1/models \
-H "Authorization: Bearer $OPENAI_API_KEY" \
| head -20A provider response, usually 200 or an upstream vendor auth error, proves the proxy path was used. A proxy auth error means Flowstate rejected the proxy credential before forwarding the request.
Step 4 - Confirm it in Flowstate
Within a few minutes:
- the connection status card moves from
Not configuredorPendingtoActive; First seenandLast capturetimestamps appear;- the current-month subject meter includes the user's email with request totals.
The subject meter is the Cloud Proxy's shipped customer-visible output. Detailed AI session content, prompt-quality scoring, and request-time policy blocking require the Flowstate Agent in the appropriate capture/enforcement mode.
Common Rollout Notes
- GUI apps often need to restart before they read new proxy environment variables.
- Some tools ignore
HTTP_PROXY/HTTPS_PROXY; they will not be metered by the Cloud Proxy unless they can be configured to use the system proxy. - Keep
NO_PROXYnarrow. A broad domain pattern can accidentally bypass the proxy for AI providers. - The Cloud Proxy does not replace provider billing connectors. Use Usage providers for invoice reconciliation.
Where to Go Next
- Troubleshooting - pending status, proxy auth errors, and bypass checks.
- Security and privacy - what the shipped Cloud Proxy stores.
- Telemetry keys - org key model and legacy per-user keys.