> Source: https://docs.nometa.az/v4.1.0/device-onboarding

# Device Onboarding

Each platform connects over its native API or SSH with a **read-only / least-privilege**
account. SAMURAI never makes configuration changes; it polls and reads. SSH device
commands are restricted to `show`.

| Platform | Connection | Account |
| --- | --- | --- |
| Cisco ACI (APIC) | HTTPS API | Read-only admin |
| Nexus Dashboard Orchestrator | HTTPS API | Read-only |
| Cisco FMC | HTTPS API | Read-only API user |
| Cisco FTD / ASA | SSH (CLISH) | Read-only |
| Cisco ISE | ERS / OpenAPI | Read-only ERS admin |
| Palo Alto | XML API | Read-only |
| FortiGate | REST API | Read-only |
| VMware vCenter | vSphere API | Read-only |
| Active Directory | LDAP | Bind account (paged read) |
| Routers / Switches | SSH | Privileged `show` access |

After adding a device, SAMURAI runs an initial sync and then re-syncs on a schedule
(configurable in **Settings**). For what each platform exposes once connected, see the
per-vendor [Device Panels](/v4.1.0/device-panels).

> Credentials are stored encrypted at rest (AES-256-GCM) and used read-only. Grant the
> account only the access listed above; SAMURAI never needs write or configuration rights.