# Add a machine (/docs/getting-started/add-a-machine) Adding a second machine is the moment Bowline earns its keep. You install, log in, and approve once. Then the same `~/Code` tree is there, with the same projects, env, and in-progress work. This page walks through it. This guide assumes you already have one [trusted device](/docs/concepts/device-trust) running Bowline. ## 1. Install and log in on the new machine [#1-install-and-log-in-on-the-new-machine] On the new machine, [install Bowline](/docs/getting-started/installation) and log in with the same workspace root. ```bash title="Terminal" bowline login --root ~/Code ``` Logging in authenticates your account. The new machine is now signed in, but it can't decrypt your workspace yet. That's by design: account login and workspace decryption access are separate steps. ## 2. Request workspace access [#2-request-workspace-access] The new machine raises a Device Approval Request to ask for decryption access. Check it on the new machine: ```bash title="Terminal" bowline status ``` Bowline shows a short matching code on the new machine. You'll confirm that same code on a device you already trust, so you know exactly which machine you're letting in. ## 3. Approve from a trusted device [#3-approve-from-a-trusted-device] On a machine that's already trusted, list pending requests and approve the new one. Confirm the code shown on the new machine matches the one here. ```bash title="Terminal" bowline devices bowline approve ``` `bowline approve` grants the first pending request. To target a specific request, pass its ID: `bowline approve `. You can preview the change first with `--dry-run`. An approved device receives workspace-wide trust for the accepted `~/Code` root. Bowline doesn't make you manage per-project or per-path device permissions. Agent leases, not device trust, scope an agent's work. ## 4. Start working [#4-start-working] Back on the new machine, the workspace tree is now visible and projects hydrate on touch. Open a project and run it. ```bash title="Terminal" bowline status cd ~/Code/acme/web pnpm dev ``` Dependencies restore and env files materialize automatically, so your usual run command works without any per-machine setup. ## If no trusted device is available [#if-no-trusted-device-is-available] If you've lost access to every trusted device, you can still get in with a [Recovery Key](/docs/concepts/recovery). Follow [recover access to your workspace](/docs/guides/recovering-access). ## Removing a machine [#removing-a-machine] When you retire a machine, revoke its trust from another device so it can no longer decrypt the workspace. ```bash title="Terminal" bowline devices bowline revoke ``` Revoking trust stops future decryption on that device. It does not delete the project files already on machines that still have them. ## Next steps [#next-steps] * [Connect remote hosts](/docs/getting-started/connect-remote-hosts): bring up a remote host or agent box over SSH. * [Device trust](/docs/concepts/device-trust): the full trust model. * [Env sync](/docs/concepts/env-sync): how `.env` files follow your projects.