Ockam offers several pluggable enrollment protocols. This command allows project administrators to create a one-time enrollment ticket, and provide custom attributes, after they have run `ockam enroll`.
Once an administrator creates a ticket, with attributes, for a project, another device can use it later. When another device runs `ockam project enroll` with the ticket, they become a member of the project, and they get a credential at the end. As a member, they can request a credential whenever they need one. Credentials do not live forever, and expire.
The identity on another device has the credential from the project's membership authority. The credential contains the attributes that the ticket was created with, which are key value pairs that are attested by the project's membership authority.
The ticket is plain text representing a one-time use token and the non-sensitive data about the project, like the route to reach it, and some other information, which will be used to validate the project identity.
This command can also be used to enroll known identities directly, without creating a ticket, into a project using the `--member` option.