Ockam offers several pluggable enrollment protocols.
You can use an enrollment ticket generated by `ockam project ticket` to enroll an identity, on a local machine, to a project. Not only is this a simple option but is also a great choice for enrolling large fleets of applications, services, or devices. It is also friendly to automated provisioning scripts and tools.
The ticket is plain text representing a one-time use token and the non-sensitive data about the project, like the route to reach it and the project identity identifier, which will be used to validate the project identity.
When another device runs `ockam project enroll` with the ticket, it is exchanged for a credential that they get at the end. The identity on another device has the credential in the project's membership authority. The credential contains the attributes that the ticket was created with, which are key value pairs that are attested by the project's membership authority.
You can also choose to use Okta as an enrollment provider using `--okta`. This is a great choice for enrolling users without manual intervention (no need to manually provision tickets for each user). Workforce identities in Okta can be combined with application identities in Ockam for attribute-based access control of distributed applications.