You are here: Home > API Reference > Windows > Enrollment Tokens > Create enrollment token for single user

Create enrollment token for single user

Required Permission: mdm.windows.enrollmentToken.create

Generate a new enrollment credential assigned to a specific user, optionally sending enrollment instructions via email with custom messaging and policy configuration.

POST
https://api.applivery.io/v1/organizations/{organizationId}/mdm/windows/enterprise/enrollment-tokens 
curl -X POST "https://api.applivery.io/v1/organizations/{organizationId}/mdm/windows/enterprise/enrollment-tokens" \
  -H "Authorization: Bearer <YOUR_API_KEY>" \
  -H "Content-Type: application/json" \
  -d '{
  "type": "object",
  "children": {
    "sendEmail": {},
    "displayName": {},
    "tags": {},
    "duration": {},
    "language": {},
    "emailText": {},
    "winPolicyId": {},
    "winPolicyAssignments": {},
    "segmentId": {}
  },
  "mdmUserId": "698efa6ed851667d9c0aec88"
}'
const response = await fetch("https://api.applivery.io/v1/organizations/{organizationId}/mdm/windows/enterprise/enrollment-tokens", {
  method: "POST",
  headers: {
    Authorization: "Bearer <YOUR_API_KEY>",
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    "type": "object",
    "children": {
      "sendEmail": {},
      "displayName": {},
      "tags": {},
      "duration": {},
      "language": {},
      "emailText": {},
      "winPolicyId": {},
      "winPolicyAssignments": {},
      "segmentId": {}
    },
    "mdmUserId": "698efa6ed851667d9c0aec88"
  }),
});

const data = await response.json();
import requests

response = requests.post(
    "https://api.applivery.io/v1/organizations/{organizationId}/mdm/windows/enterprise/enrollment-tokens",
    headers={"Authorization": "Bearer <YOUR_API_KEY>"},
    json={
      "type": "object",
      "children": {
        "sendEmail": {},
        "displayName": {},
        "tags": {},
        "duration": {},
        "language": {},
        "emailText": {},
        "winPolicyId": {},
        "winPolicyAssignments": {},
        "segmentId": {}
      },
      "mdmUserId": "698efa6ed851667d9c0aec88"
    },
)

data = response.json()

Request

Send your API key in the request header authorization
Example: Authorization: Bearer <token>

organizationId string
required
Match pattern: ^(([a-fA-F0-9]{24})|([a-zA-Z0-9\\-]{3,}))$

Body Params application/json
type string optional
object
children object optional
sendEmail object optional
type string optional
boolean
flags object optional
truthy boolean optional
falsy boolean optional
displayName object optional
type string optional
string
valids string optional
rules object optional
tags object optional
type string optional
array
flags object optional
items object optional
duration object optional
type string optional
number
flags object optional
invalids number optional
Format: float
null
rules object optional
language object optional
type string optional
string
flags object optional
valids string optional
es
invalids string optional
emailText object optional
type string optional
string
valids string optional
winPolicyId object optional
type string optional
string
valids string optional
rules object optional
winPolicyAssignments object optional
type string optional
array
flags object optional
items object optional
segmentId object optional
type string optional
number
flags object optional
invalids number optional
Format: float
null
rules object optional
mdmUserId string required
MDM user identifier establishing device ownership upon enrollment determining access permissions, policy scope, and administrative responsibility for enrolled endpoints.
Match pattern: ^[a-fA-F0-9]{24}$
{
    "type": "object",
    "children": {
        "sendEmail": {
            "type": "boolean",
            "flags": {
                "insensitive": true,
                "presence": "required"
            },
            "truthy": true,
            "falsy": true
        },
        "displayName": {
            "type": "string",
            "valids": "",
            "rules": {
                "name": "max",
                "arg": 128
            }
        },
        "tags": {
            "type": "array",
            "flags": {
                "sparse": true
            },
            "items": {
                "type": "string",
                "valids": "",
                "rules": {
                    "name": "max",
                    "arg": 128
                }
            }
        },
        "duration": {
            "type": "number",
            "flags": {
                "unsafe": true
            },
            "invalids": null,
            "rules": {
                "name": "integer"
            }
        },
        "language": {
            "type": "string",
            "flags": {
                "allowOnly": true
            },
            "valids": "es",
            "invalids": ""
        },
        "emailText": {
            "type": "string",
            "valids": ""
        },
        "winPolicyId": {
            "type": "string",
            "valids": "",
            "rules": {
                "name": "regex",
                "arg": {
                    "pattern": "string"
                }
            }
        },
        "winPolicyAssignments": {
            "type": "array",
            "flags": {
                "sparse": true
            },
            "items": {
                "type": "object",
                "children": {
                    "winPolicyId": {
                        "type": "string",
                        "invalids": "",
                        "rules": {
                            "name": "regex",
                            "arg": {
                                "pattern": "string"
                            }
                        }
                    },
                    "priority": {
                        "type": "number",
                        "flags": {
                            "unsafe": true,
                            "presence": "required"
                        },
                        "invalids": null,
                        "rules": {
                            "name": "integer"
                        }
                    }
                }
            }
        },
        "segmentId": {
            "type": "number",
            "flags": {
                "unsafe": true
            },
            "invalids": null,
            "rules": {
                "name": "integer"
            }
        }
    },
    "mdmUserId": "698efa6ed851667d9c0aec88"
}

Responses

200 Response application/json
status boolean optional
data object optional
id string optional
Unique enrollment token identifier assigned at creation used throughout platform for referencing token in device registration workflows, admin interfaces, and audit logs.
Match pattern: ^[a-fA-F0-9]{24}$
organizationId string optional
Organization workspace owning this token determining access permissions, billing attribution, and device association enabling multi-tenant isolation and administrative boundaries.
Match pattern: ^[a-fA-F0-9]{24}$
winEnterpriseId string optional
Windows enterprise configuration defining MDM server endpoints, authentication certificates, and enrollment protocols governing device registration and management communication.
Match pattern: ^[a-fA-F0-9]{24}$
winDeviceId string optional
Windows device completing enrollment using this token establishing ownership relationship and enabling tracking which tokens provisioned which devices for audit purposes.
Match pattern: ^[a-fA-F0-9]{24}$
mdmUser object optional
MDM user account receiving token ownership establishing device responsibility, determining permission scope, and enabling user-specific policy application and communication.
id string optional
MDM user account identifier linking enrolled devices to responsible individuals for ownership tracking and administrative accountability.
Match pattern: ^[a-fA-F0-9]{24}$
email string optional
User email address enabling enrollment invitation delivery, account identification, and serving as primary communication channel for device management notifications.
≤ 128 characters
displayName string optional
Human-readable token label appearing in administrative interfaces, email notifications, and management reports helping administrators identify token purpose and target users.
≤ 128 characters
tags array [string] optional
Classification tags automatically applied to enrolled devices enabling organizational grouping, policy targeting, and fleet segmentation for streamlined device management workflows.
state string optional
Token lifecycle status tracking usage and availability with PENDING indicating unused token, DONE after enrollment completion, DELETED when revoked, EXPIRED when time-limited validity elapsed.
PENDING DONE DELETED EXPIRED
config object optional
Platform-specific enrollment configuration parameters containing advanced settings, custom workflows, and integration options tailored to organizational deployment requirements.
type string optional
Token category classification determining enrollment workflow behavior, permission requirements, and processing logic differentiating standard enrollment from specialized provisioning scenarios.
≤ 128 characters
subType string optional
Token variant providing additional workflow context enabling fine-grained categorization and specialized handling for different enrollment scenarios within organization.
≤ 128 characters
updatedAt string optional
Most recent modification timestamp recorded in ISO-8601 format tracking configuration changes, policy updates, and administrative edits for audit compliance and change history.
Format: date-time
createdAt string optional
Token creation timestamp in ISO-8601 format marking generation moment used for calculating age, enforcing retention policies, and providing audit trail foundation.
Format: date-time
expireAt string optional
Token expiration timestamp blocking device enrollment after specified time enforcing time-limited provisioning for security compliance, null value indicating permanent validity without expiration.
Format: date-time
enrollmentLink string optional
Complete enrollment URL sent to end users via email or messaging enabling one-click device registration by embedding authentication credentials and configuration parameters.
≤ 500 characters
enrollCode string optional
Short alphanumeric code facilitating manual token entry during enrollment serving as accessible alternative when link clicking impractical or for phone-based configuration entry.
≤ 128 characters
winPolicyId string optional
Legacy single policy reference maintained for backward compatibility with deprecated enrollment workflows, superseded by winPolicyAssignments enabling multi-policy composition.
Match pattern: ^[a-fA-F0-9]{24}$
winPolicyAssignments array [object] optional
Policy composition assignments including full embedded policy objects with priority values enabling complete configuration preview and conflict resolution analysis.
winPolicyId string optional
Match pattern: ^[a-fA-F0-9]{24}$
winPolicy object optional
priority integer optional
≥ 0
summary object optional
Computed metadata aggregating token status information for UI display, dashboard visualization, and business logic evaluation without requiring field-by-field calculations.
expirationTimestamp string optional
Calculated expiration time combining creation timestamp and duration for streamlined validity checks and countdown displays in administrative interfaces.
Format: date-time
sendEmail boolean optional
Automated enrollment invitation email delivery flag triggering immediate notification to MDM user upon token creation containing enrollment instructions and access credentials.
emailText string optional
Custom message body embedded in enrollment invitation email providing personalized instructions, organizational context, and user-specific guidance enhancing onboarding experience.
segmentId integer optional
Segment identifier for scoping enrollment token into an specific segment
≥ 0
{
    "status": true,
    "data": {
        "id": "698efa6ed851667d9c0aec88",
        "organizationId": "698efa6ed851667d9c0aec88",
        "winEnterpriseId": "698efa6ed851667d9c0aec88",
        "winDeviceId": "698efa6ed851667d9c0aec88",
        "mdmUser": {
            "id": "698efa6ed851667d9c0aec88",
            "email": "[email protected]"
        },
        "displayName": "Engineering Laptop - John Doe",
        "tags": [
            "engineering",
            "laptop",
            "corporate"
        ],
        "state": "PENDING",
        "config": {},
        "type": "enrollment",
        "subType": "standard",
        "updatedAt": "2026-02-10T12: 00:00Z",
        "createdAt": "2026-01-15T09: 30:00Z",
        "expireAt": "2026-03-15T09: 30:00Z",
        "enrollmentLink": "https://mdm.company.com/enroll?token=abc123def456",
        "enrollCode": "ABC123",
        "winPolicyId": "698efa6ed851667d9c0aec88",
        "winPolicyAssignments": [
            {
                "winPolicyId": "698efa6ed851667d9c0aec88",
                "winPolicy": {
                    "id": "698efa6ed851667d9c0aec88",
                    "name": "Corporate Security Policy"
                },
                "priority": 100
            }
        ],
        "summary": {
            "expirationTimestamp": "2026-03-15T09: 30:00Z"
        },
        "sendEmail": true,
        "emailText": "Welcome to the corporate device management program. Click the link to enroll your device.",
        "segmentId": "1"
    }
}
400 Response application/json
status boolean optional
false
error object optional
code number optional
5145
message string optional
Error creating winEnrollmentToken
{
    "status": false,
    "error": {
        "code": 5050,
        "message": "Feature not allowed for you billing plan"
    }
}
401 Response application/json
status boolean optional
false
error object optional
code number optional
4004
message string optional
Invalid Token
{
    "status": false,
    "error": {
        "code": 4002,
        "message": "No auth token"
    }
}
404 Response application/json
status boolean optional
false
error object optional
code number optional
3001
message string optional
Entity not found
{
    "status": false,
    "error": {
        "code": 3001,
        "message": "Entity not found"
    }
}
Was this page helpful?